S2E27: "Automated Privacy Decisions: Usability vs. Lawfulness" with Simone Fischer-Hübner & Victor Morel

Today, I welcome Victor Morel, PhD and Simone Fischer-Hübner, PhD to discuss their recent paper, "Automating Privacy Decisions – where to draw the line?" and their proposed classification scheme. We dive into the complexity of automating privacy decisions and emphasize the importance of maintaining both compliance and usability (e.g., via user control and informed consent). Simone is a Professor of Computer Science at Karlstad University with over 30 years of privacy & security research experience. Victor is a post-doc researcher at Chalmers University's Security & Privacy Lab, focusing on privacy, data protection, and technology ethics.

Together, they share their privacy decision-making classification scheme and research across two dimensions: (1) the type of privacy decisions: privacy permissions, privacy preference settings, consent to processing, or rejection to processing; and (2) the level of decision automation: manual, semi-automated, or fully-automated. Each type of privacy decision plays a critical role in users' ability to control the disclosure and processing of their personal data. They emphasize the significance of tailored recommendations to help users make informed decisions and discuss the potential of on-the-fly privacy decisions. We wrap up with organizations' approaches to achieving usable and transparent privacy across various technologies, including web, mobile, and IoT. 

Topics Covered:

• Why Simone & Victor focused their research on automating privacy decisions 
• How GDPR & ePrivacy have shaped requirements for privacy automation tools
• The 'types' privacy decisions & associated 'levels of automation': privacy permissions, privacy preference settings, consent to processing, & rejection to processing
• The 'levels of automation' for each privacy decision type: manual, semi-automated & fully-automated; and the pros / cons of automating each privacy decision type
• Preferences & concerns regarding IoT Trigger Action Platforms
• Why the only privacy decisions that you should 'fully automate' are the rejection of processing: i.e., revoking consent or opting out
• Best practices for achieving informed control
• Automation challenges across web, mobile, & IoT
• Mozilla's automated cookie banner management & why it's problematic (i.e., unlawful)

Resources Mentioned:

• "Automating Privacy Decisions – where to draw the line?"
• CyberSecIT at Chalmers University of Technology
• "Tapping into Privacy: A Study of User Preferences and Concerns on Trigger-Action Platforms"
• Consent O Matic browser extension

Send us a text

Privado.ai
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2024 Principled LLC. All rights reserved.