Reference : AI-enabled Automation for Completeness Checking of Privacy Policies
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/48449
AI-enabled Automation for Completeness Checking of Privacy Policies
English
Amaral Cejas, Orlando mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
Abualhaija, Sallam mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
Torre, Damiano mailto [Texas A&M University > Department of Computer Information Systems]
Sabetzadeh, Mehrdad mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
In press
IEEE Transactions on Software Engineering
Institute of Electrical and Electronics Engineers
Yes (verified by ORBilu)
0098-5589
1939-3520
New-York
NY
[en] Requirements Engineering ; Legal Compliance ; Privacy Policies ; The General Data Protection Regulation (GDPR) ; Artificial Intelligence (AI) ; Conceptual Modeling ; Qualitative Research
[en] Technological advances in information sharing have raised concerns about data protection. Privacy policies containprivacy-related requirements about how the personal data of individuals will be handled by an organization or a software system (e.g.,a web service or an app). In Europe, privacy policies are subject to compliance with the General Data Protection Regulation (GDPR). Aprerequisite for GDPR compliance checking is to verify whether the content of a privacy policy is complete according to the provisionsof GDPR. Incomplete privacy policies might result in large fines on violating organization as well as incomplete privacy-related softwarespecifications. Manual completeness checking is both time-consuming and error-prone. In this paper, we propose AI-based automationfor the completeness checking of privacy policies. Through systematic qualitative methods, we first build two artifacts to characterizethe privacy-related provisions of GDPR, namely a conceptual model and a set of completeness criteria. Then, we develop anautomated solution on top of these artifacts by leveraging a combination of natural language processing and supervised machinelearning. Specifically, we identify the GDPR-relevant information content in privacy policies and subsequently check them against thecompleteness criteria. To evaluate our approach, we collected 234 real privacy policies from the fund industry. Over a set of 48 unseenprivacy policies, our approach detected 300 of the total of 334 violations of some completeness criteria correctly, while producing 23false positives. The approach thus has a precision of 92.9% and recall of 89.8%. Compared to a baseline that applies keyword searchonly, our approach results in an improvement of 24.5% in precision and 38% in recall.
http://hdl.handle.net/10993/48449
FnR ; FNR13759068 > Mehrdad Sabetzadeh > ARTAGO > Artificial Intelligence-enabled Automation For Gdpr Compliance > 01/01/2020 > 31/12/2022 > 2019

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
AATSB-TSE21.pdfAuthor postprint36.11 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.