Researchers from the European Union Institute in Florence worked with the EU’s consumer organization to create the software. They then used the software to examine the privacy policies of 14 major technology businesses, including by Alphabet Inc., Amazon.com Inc., and Facebook Inc.
They found that a third of those clauses were "potentially problematic" or contained "insufficient information." Another 11 per cent of the policy’s sentences used unclear language, the academics said.
The researchers didn’t make public which companies’ policies violated which provisions of the law, publishing only aggregate findings for all of the companies in the study.
Clear and comprehensive explanations of what data a company collects, how it uses the data, and who it shares the information with, are key requirements of Europe’s new General Data Protection Regulation (GDPR), a sweeping privacy law that took effect on May 25. In many cases, companies must get explicit consent from customers to hold and process their data. Companies that violate the new rule can face fines as high as four per cent of global sales.
Among the problems found by the AI software -- which is called "Claudette" -- were policies that did not identify third parties a company might share personal data with, policies that stated users would be deemed to have agreed to a plan simply by using the company’s website and others that used vague and confusing language.
Monique Goyens, the BEUC’s director general, said the research was "very concerning" and urged EU regulators to look at the possible violations the researchers spotted. "Many privacy policies may not meet the standard of the law," she said in a statement.
The software uses natural language processing, a subfield of machine learning aimed at understanding language, to compare the wording of companies’ policy documents to model policy clauses that have been developed by an EU body that represents all of the bloc’s national data protection authorities.
"AI can be used to keep companies in check and ensure people’s rights are respected," Goyens said, adding that such software would make it easier for EU data privacy regulators to monitor the vast number of businesses they are now responsible for policing and to start legal action against those who break the law.
The researchers said they chose companies including social media giants and gaming platforms because they are dominant in the dominant technology platforms in Europe. They "should be setting a good example for the market to follow," the academics said in a statement.
The study was conducted in June, a month after GDPR took effect. The researchers noted that to prepare for GDPR many companies asked consumers to agree to update privacy policies. "Users were faced with a tsunami of update policies and new consent requests," the researchers said. "It is very hard for them to assess whether their rights are being respected."