Compliance of Privacy Policies with Legal Regulations - Compliance of Privacy Policies with Canadian PIPEDA

Abstract

The W3C’s Platform for Privacy Preferences (P3P) is a set of standards that provides for representation of web-sites’ privacy policies using XML so that a privacy policy can be automatically retrieved and inspected by a user’s agent. The agent can compare the site’s policy with the user’s preferences on collection and use of his/her private data. If the site’s privacy policy is incompatible with the user’s preferences, the agent informs the user on the privacy policy’s shortcomings. The P3P specification defines XML tags, schema for data, set of uses, recipients, and other disclosures for expressing web-sites’ privacy policies. It is important for the user’s agent to determine whether the site’s privacy policy actually satisfies privacy regulations that are applicable to the user’s current transaction. We show that the P3P specification is not sufficiently expressive to capture all of the legal requirements that may apply to a transaction. Consequently, to determine whether or not a site’s privacy policy satisfies the requirements of a particular law in question, the site’s privacy policy expressed in the natural language must also be retrieved and examined. To determine which legal requirements of a particular law are satisfied by the site’s P3P privacy policy, which is an XML document, we examine the document’s XML tags a relatively straight-forward task. To determine whether legal requirements, which cannot be satisfied by using P3P XML tags, are present in the site’s privacy policy expressed in the natural language, we use standard classification algorithms. As a proof of concept, we apply our approach to the Canadian PIPEDA privacy law and show up to 88% accuracy in identifying the legal privacy clauses concerning the Safeguard principle in privacy statements.