Max von Grafenstein , Isabel Kiefaber , Julie Heumüller , Valentin Rupp , Paul Graßl , Otto Kolless , Zsófia Puzst
{"title":"Privacy icons as a component of effective transparency and controls under the GDPR: effective data protection by design based on art. 25 GDPR","authors":"Max von Grafenstein , Isabel Kiefaber , Julie Heumüller , Valentin Rupp , Paul Graßl , Otto Kolless , Zsófia Puzst","doi":"10.1016/j.clsr.2023.105924","DOIUrl":null,"url":null,"abstract":"<div><p>Understandable privacy information builds trust with users and therefore provides an important competitive advantage for the provider. However, designing privacy information that is both truthful and easy for users to understand is challenging. There are many complex balancing decisions to be made, not only with respect to legal but also visual and user experience design issues. This is why designing understandable privacy information requires combining at least three disciplines that have had little to do with each other in current practice: law, visual design, and user experience design research. The challenges of combining all three disciplines actually culminate in the design and use of Privacy Icons, which are expected to make lengthy legal texts clear and easy to understand (see Art. 12 sect. 7 of the EU General Data Protection Regulation). However, that is much easier said than done. In this paper, we summarise our key learnings from a five years research process on how to design Privacy Icons as a component of effective transparency and user controls. We will provide examples of information and control architectures for privacy policies, forms of consent (especially in the form of cookie banners), privacy dashboards and consent agents in which Privacy Icons may be embedded, 2) a non-exhaustive set of more than 150 Privacy Icons, and above all 3) a concept and process model that can be used to implement the requirements of the GDPR in terms of transparency and user controls in an <em>effective</em> way, according to the data protection by design approach in Art. 25 sect. 1 GDPR. The paper will show that it is a rocky road to the stars and we still haven't arrived – but at least we know how to go.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":null,"pages":null},"PeriodicalIF":3.3000,"publicationDate":"2024-01-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364923001346/pdfft?md5=346ff487adc0ce805af363fe1afb0633&pid=1-s2.0-S0267364923001346-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364923001346","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 0
Abstract
Understandable privacy information builds trust with users and therefore provides an important competitive advantage for the provider. However, designing privacy information that is both truthful and easy for users to understand is challenging. There are many complex balancing decisions to be made, not only with respect to legal but also visual and user experience design issues. This is why designing understandable privacy information requires combining at least three disciplines that have had little to do with each other in current practice: law, visual design, and user experience design research. The challenges of combining all three disciplines actually culminate in the design and use of Privacy Icons, which are expected to make lengthy legal texts clear and easy to understand (see Art. 12 sect. 7 of the EU General Data Protection Regulation). However, that is much easier said than done. In this paper, we summarise our key learnings from a five years research process on how to design Privacy Icons as a component of effective transparency and user controls. We will provide examples of information and control architectures for privacy policies, forms of consent (especially in the form of cookie banners), privacy dashboards and consent agents in which Privacy Icons may be embedded, 2) a non-exhaustive set of more than 150 Privacy Icons, and above all 3) a concept and process model that can be used to implement the requirements of the GDPR in terms of transparency and user controls in an effective way, according to the data protection by design approach in Art. 25 sect. 1 GDPR. The paper will show that it is a rocky road to the stars and we still haven't arrived – but at least we know how to go.
期刊介绍:
CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.