CyLab’s Norman Sadeh on Privacy Engineering and the GDPR

Daniel Tkacik

Nov 10, 2017

Today, policy makers and technologists from the US and Europe are convening in Leuven, Belgium for a workshop named, “Privacy Engineering Research and the General Data Protection Regulation: A Transatlantic Initiative.” The General Data Protection Regulation (GDPR) will soon replace the EU’s Data Protection Directive and set new, more stringent standards for data protection.

With a focus on privacy engineering, it is fitting that CyLab’s Norman Sadeh, a professor in the School of Computer Science and co-director of Carnegie Mellon’s Privacy Engineering Program, will be delivering the workshop’s keynote speech.

We recently conducted a Q&A with Sadeh to learn more about the GDPR and what he plans on talking about.

First off, what is the GDPR and who will it impact?

Sadeh: The GDPR is a major overhaul of the current EU Data Protection Directive, which sets the standards for the collection and processing of data about EU residents. The regulation will impact all companies operating in Europe, including all the big US tech companies and any other company that collects and/or processes data about EU residents. This ranges from large tech companies like Google, Facebook, and Amazon all the way to app developers whose apps are available for download by people in the EU. GDPR comes with a number of challenging requirements from a privacy engineering standpoint, including provisions for "erasure" (the right to request that your data be erased), "portability" (the right to take your data as collected by one provider and transfer it to another), transparency and understandability. These requirements give rise to a number of challenging research questions, which is the focus of this workshop. My keynote will focus in particular on the human element in GDPR and how one might be able to reconcile GDPR requirements and usability in the age of Big Data and the Internet of Things.

In what ways is CMU's Privacy Engineering program advancing these types of privacy rules?

Sadeh: Our Privacy Engineering program trains students to become privacy leads in the design and development of products, services and business processes, helping organizations ensure that they comply with applicable privacy laws and principles. For instance, we emphasize concepts such as “privacy-by-design,” which is also a key principle in the EU’s General Data Protection Regulation (GDPR). Privacy-by-design is a collection of principles and methodologies that help integrate privacy considerations from day one in the design process and also aim to mitigate privacy risk by minimizing the collection and retention of data.

When does GDPR come into effect, and what happens if companies do not comply?

Sadeh: GDPR kicks in on May 25, 2018 and comes with significant penalties – up to 4% of a company’s worldwide turnover or 20 million Euros, whichever is greater.

Can you give us a summary of what you’ll be talking in your keynote?

Sadeh: The overall message of my keynote is that GDPR marks significant progress in attempting to codify rules that better protect people’s ability to control the collection and processing of their data. GDPR raises the bar for all organizations and forces them to revisit and update the way they process data. At the same time, many aspects of GDPR call for research to further inform some of its requirements and make its expectations practical for everyone. In particular, I will discuss some of our research findings modeling how users respond to different types of privacy choices. I will also discuss how different technologies we have been developing and experimenting with can help address critical issues of usability as well as mitigate cognitive and behavioral biases that need to be addressed if GDPR is to be as effective as it seeks to be. This includes technologies to effectively support users and help them manage large numbers of privacy decisions and also solutions to motivate users to carefully reflect on their privacy choices. I will also discuss our progress with machine learning and natural language processing techniques to help computers automatically annotate privacy policies and help check at scale for privacy compliance of technologies such as mobile apps.

Another point I plan to make is that GDPR makes it imperative that we develop privacy engineering technologies that can help level the playing field when it comes to compliance. We don’t want to be in a situation where only large and sophisticated organizations are able to comply. In particular, if you look at mobile and the Internet of Things where you have ecosystems that rely in great part on smaller players to contribute new technologies (e.g., new mobile apps, new IoT devices), there is a major need for privacy engineering technologies and tools that can help these less sophisticated players.. Our research in mobile app compliance for instance has shown that a very large proportion of mobile apps today have privacy compliance issues. Developers are just unaware of the requirements and lack the necessary expertise and resources to comply.

These are some of the areas where our research group at CMU has been particularly active in the context of our Usable Privacy Policy project and our Personalized Privacy Assistant project.