A New AI Evaluates the GDPR Compliance of Top Tech Companies

AI ClaudetteStipulations in the EU’s newly enforced General Data Protection Regulation (GDPR) require enterprises to install more stringent data protection and privacy solutions. The regulation was approved in April 2016 to give organizations enough time to upgrade their systems, but many are still caught up in improvements. In an effort to evaluate the progress of these GDPR preparations, the European Consumer Organisation (also called Bureau Européen des Unions de Consommateurs or BEUC) and researchers at the European University Institute introduced an artificial intelligence (AI) tool that has assessed the new privacy policies of 14 top tech companies. The initial results, which cover the policies of social media companies, gaming sites, travel sites and more, show that many are still struggling with GDPR compliance.

Introducing Claudette

The cutting-edge AI tool is part of a research project hosted at the Law Department of the European University Institute. The project is headed by Giovanni Sartor and Hans-W. Micklitz; who are working with engineers from University of Bologna and University of Modena and Reggio Emilia. The “automated clause detector” tool, also called Claudette, is a web crawler that assesses the privacy policies of 14 different online services. Claudette scans and collects information, then compares the data against a predefined GDPR “gold standard” using supervised machine learning techniques.

The tool can recognize if certain clauses in the policies are lacking. It evaluates if the companies did not provide all the information required under the GDPR, if the processing of data is problematic, or if the policies use unclear language (which is against GDPR rules).

The GDPR report card

Claudette evaluated 14 of the top tech companies in the world—AirBnB, Amazon, Apple, Booking, Epic Games, Facebook, Google, Microsoft, Netflix, Skyscanner, Steam, Twitter, Uber, and WhatsApp. The research team specifically chose companies that offer different online services and identified the “most used” sites. One month after the GDPR was enforced, these were the results: from the total privacy policy sentences they evaluated, 11% were marked as unclear while 33.9% were identified as potentially problematic or provided insufficient information. According to their report, none of the analyzed privacy policies meet the requirements of the GDPR.

Still a work in progress

So far, as the research team has stated in a Q&A, Claudette has only been trained with a few data policies and is not ready to analyze policies by itself. For this particular study, the results of the automated scanning still had to be manually checked. But this experiment does show the range of possibilities for artificial intelligence tools and how they can be utilized in different fields. Further refinement of the tool could potentially help lighten the load of lawyers or administrators analyzing numerous privacy policies.

This experiment also shows how companies are progressing with their GDPR compliance. We see that some of the most popular multinational tech companies still need to improve their privacy policies and strengthen their data protection according to GDPR standards. Visit our GDPR resource page to learn more about GDPR compliance and how to strengthen security in accordance with its guidelines.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.