Summary of the first Privacy Research Day
Rédigé par Nataliia Bielova et Thomas Le Bonniec
-03 octobre 2022
The first edition of Privacy Research Day took place at the CNIL in Paris on June 28, 2022. By inviting experts in different fields to present their works and discuss their impact on regulation, the CNIL has created bridges between international researchers and regulators.
CNIL has released the replay of the Privacy Research Day, ensuring that those who missed the event can still watch it online: all the presentations of experts, as well as panel discussions were fully recorded and available either in English (Morning sessions and Afternoon sessions) or in French.
The organizing committee for the Privacy Research Day received more than a hundred submissions from the international community of researchers from the EU countries, such as Germany, Belgium, Spain, the Netherlands, as well as outside the EU: the US, Canada, United Kingdom and Singapore. Papers were selected based on their academic merit, originality and the main criteria was the relevance for the regulators as well as the accessibility of the contribution. We wanted the conference to be an opportunity to start a discussion between academics and as many regulators as possible. We received many contributions that were also very interesting to us, but unfortunately, we could only select 18 papers to be to be presented.
With Privacy Research Day, CNIL offered a forum for an interdisciplinary research and exchanges around the broad topic of privacy and data protection and regulation: 17 groups of researchers in law, computer science, sociology, design and economy presented their works at the Privacy Research Day. Moreover, almost 40% of presented articles were multi-disciplinary, which shows that researchers today collaborate across disciplines to address a complex problem of privacy and data protection within today’s society and emerging technologies.
Researchers from Spain, the United Kingdom, France, Belgium, Switzerland, Singapore, Luxembourg, and Germany presented their academic results in the broad field of privacy and data protection, organized into 6 panels. Here are some of the interesting points that were raised for each of them during the discussion with the public.
The Economy of Privacy. During the first panel, titled “Economy of Privacy”, the compliance gap between GDPR and its practical effects were discussed. For organizations, a first takeaway was that DPAs could help companies, especially the small ones, with more specific definitions, such as “cost of implementation” and aiding in asserting what the actual cost of compliance implementation is going to be. For users, “real” compliance was raised as an issue to tackle, as a gap between what they believe to have agreed to, and what they actually have accepted. A further note was made that researchers could find use of a “standardized form of reporting GDPR fines and compensations” to the general public.
- Annika SELZER - An Economic Analysis of Appropriateness under Article 32 GDPR;
- Vincent LEFRERE - Privacy, Data and Competition: The Case of Apps For Young Children;
- Aileen NIELSEN - Measuring lay reactions to personal data markets.
Smartphones and Apps. The second panel offered an analysis of tracking in the mobile app ecosystem. Different measurement methods were presented and the panel included a discussion on how consent should be approached in the mobile application ecosystem: all three panelists agree on the responsibility that lies at app developers’ feet in terms of collecting consent in a more transparent manner. Informing users, in a more precise and specific way would allow for a proper collection of consent from users, and to simplify the information required for them to understand what they are agreeing to.
- Alvaro FEAL - Don’t Accept Candy from Strangers: An Analysis of Third-Party Mobile SDKs;
- Konrad KOLLNIG and Pierre DEWITTE - A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps;
- Naif MEHANNA - The Price to Play: a Privacy Analysis of Free and Paid Games in the Android Ecosystem.
Users Perspectives and perception of Privacy and Data Rights. This panel discussed the user perception of privacy in different aspects. The “Brussels effect” was observed from the user point of view, through the lens of the rights to access, and cookie banner compliance. One of the panelists explained that companies were less likely to be compliant when compliance requirement affected the core of their business model. In this context, enforcement was required to motivate compliance. Another panelist proposed to involve users through a right to customization. This offers them a possibility to control how their data are processed in a preventative way, and not after the damage is done (i.e., when their data is leaked or they lose control over it).
- René MAHIEU - Measuring the Brussels Effect through Access Requests;
- Zaira ZILHMANN - The Right to Customization: Conceptualizing the Right to Repair for Informational Privacy;
AI and explanability. Three papers were discussed in this panel and tackled “AI and explainability” in different ways. The tradeoff between accuracy and fairness as well as explainability were introduced. Similarly, the difficulty in using large text data set to train NLP was discussed and, during the third talk, the possibility to use AI to observe compliance was also brought. The AI instead of Machine Learning, was also questioned by someone from the audience and panelists offered different answers explaining why AI was the right word in this context.
- Martin STROBEL - Privacy at the Intersection of Trustworthy Machine Learning;
- Hannah BROWN - What Does it Mean for a Language Model to Preserve Privacy?;
- Sallam ABUALHAIJA - AI-enabled Automation for Completeness Checking of Privacy Policies.
Organizational Challenges. Researchers of this panel discussed opportunities and strategies to make sure there is more compliance with the GDPR. Regulators, they suggest, could do with a comprehensive legal baseline, as well as template models that would help standardize the practices around designs. A point of interest was raised about the distinction between “Data Protection by Design” and “Data Protection by Default”. It was argued that “Data Protection by Design” is both broader but sometimes conflicting with a “Data Protection by Default” approach.
- Cécile CARON - Privacy-proofing blockchain. Socio-technical trade-offs and the design and experimentation trajectory of a service in the energy sector;
- Max VON GRAFENSTEIN - Web Tracking Under the New Data Protection Law: Design Potentials at the Intersection of Jurisprudence and HCI;
- Laurens SION - DPMF: A Modeling Framework for Data Protection by Design.
Tools for Data Protection Authorities. The final panel’s discussion revolved around the complementarity between academic researchers and DPAs. On the one hand, technical research is sometime left lagging because the legal implication of it is not always clear to the researchers. DPAs could be very helpful in that aspect. And conversely, DPAs could use researcher’s tools for instance during their investigations. Another level of cooperation would be reached if DPAs set out public research goals that experts could gather around and tackle together.
- Robin CARPENTIER - An Extensive and Secure Personal Data Management System Using SGX;
- Asuman SENOL - Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission;
- José GONZALES - Unique on Facebook: Formulation and Evidence of (Nano)targeting Individual Users with non-PII Data.
More than 3,500 visitors followed the first Privacy Research Day online, and 281 people registered to attend in person. The audience was comprised of Data Protection Officers, CNIL personnel, students and researchers, but also law firms, agents of various ministries in France, and industry representatives.
A number of visitors and speakers gave extremely positive feedback both on the organization and on the opportunity to exchange with the Data Protection Authority as well as other attendants of the Privacy Research Day. “The Privacy Research Day won’t be the only one of this kind”, concluded the vice-chairman of the CNIL, Francois Pellegrini. CNIL is looking forward to organizing such events in the future to continue creating bridges between international researchers and regulators.