Abstract: Tackling Compliance Deficits of Data-Protection Law with User Collaboration

Abstract—In the recent past, there have been frequent reports on privacy violations by service providers on the Web. They are overstrained with the implications of processing personal data. Data-protection authorities in turn are overburdened with the enforcement of the regulations. Users themselves typically cannot identify those violations due to missing expertise in data-protection law. In this paper we introduce and evaluate CAPE (Collaborative Access to Privacy Enhancement), an approach that makes data-protection law accessible for all parties involved in the processing of personal information. To this end, we transform legal expertise on data protection into intuitive questions that anyone can answer. CAPE is ’Web 2.0’, in the sense that individuals answer the questions they can, and they benefit from the answers of others. To identify violations, we compare the answers to answer patterns defined apriori that indicate a violation. The main innovation proposed in this article is the combination of Web 2.0 functionality with the structured approach (sequences of closed questions in particular) lawyers use to identify violations. In extensive user studies with CAPE, we show that users can identify 81% of those violations legal experts find. Further, individuals answer our questions with a high degree of agreement, independent from their background knowledge.