• by Ray Schultz , Columnist, July 5, 2018

High-tech companies like Google and Facebook are failing to meet GDPR standards for privacy policies. Who says so? An AI tool called Claudette.

That AI system was recently tested by researchers at the European University Institute in Florence (EUI), with support from the EU consumer group BEUC. They call the project “Claudette 1 meets GDPR ”

Claudette relies on a web crawler to monitor on a daily basis. It is trained to scan privacy policies and match them against a GDPR “gold standard,” according to a Q&A posted by the EUI.

To test Claudette, the researchers examined 14 online services: Google, Facebook, (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking, Skyscanner, NetflixStea and Epic Games.

Why these 14? Because they are among the biggest and “should therefore be setting a good example for the market to follow,” the EUI states.

These players apparently fail to meet the gold standard. In general, they:

• Fail to provide all the information required by the GDPR — i.e., when they share data with third parties.
• Use vague language that is hard for consumers to understand, preventing from them from learning out how their data is being used.
• Do not process personal data according to GDPR rules — for example, some have clauses saying that the user agrees to a company’s privacy policy simply by using its website.

Claudette produces “a color coded ‘annotated’ privacy policy where all clauses are categorized, singling out those clauses that could be non - compliant or, at least, problematic and therefore deserving special attention,” the EUI states.

However, the findings are far from complete.

“These are preliminary results and so far 'Claudette' has only been trained with a small number of privacy policies, therefore the results of the automated scanning are not 100% accurate,” the report states. “More data is needed to obtain higher quality results.”

But the groups are moving forward. “BEUC will bring this research to the attention of the data protection authorities and will continue monitoring market developments closely.,” the Q&A says. “We do not rule out taking further legal actions as appropriate.

What is the gold standard? According to the Q&A, consumers should be given information about data processing - among others, the identity of the controller, legal basis and purpose of processing, recipients of personal data, right to rectify and complain.”