“GDPR data protection icons and transparency: where do we stand?” Panel at the CPDP 2020
Last January 22, the founding research institutes of the Privacy Icons Forum (PIF) have debated current and future issues of transparency and privacy icons in a panel organized by the Berlin University of the Arts (Einstein Center Digital Future) at the Conference on Computer Privacy and Data Protection 2020 (CPDP). The motivation was to illustrate the current state of research in the design of icon sets representing relevant aspects of data processing and discuss the upcoming challenges on the way to adoption and standardization by the European Commission.
The moderator, Arianna Rossi (IRiSC, SnT – Université du Luxembourg), opened the session by officially launching the PIF. She gave an overview of the main challenges related to the design of a data protection icon set and pointed to the outcomes of the DaPIS project, the first post-GDPR scientific attempt to collaboratively create and evaluate visual designs for legal transparency.
Marie Schirmbeck (Weizenbaum Institute for the Networked Society) explained the institute’s research approach on how to determine what information should be prioritized for visualizations on the top layer of a multi-layered information structure. They decided to base the selection and the design of the data processing aspects that should be visualized on their inherent risks. Thus, factors, such as attention, motivation and previous knowledge that also influence the decision-making process can be addressed from the very start of the design process. She presented the preliminary results of their first stage, which entails the extraction and categorization of relevant data processing aspects based on a qualitative content analysis of the GDPR and expert interviews. So far the analysis yielded the four main categories data type, data processing, data purpose and IT security. Before they enter the actual design stage, they will narrow down the selection to the most relevant aspects by means of expert and users surveys regarding possible risks.
Then, Maximilian von Grafenstein (Universität der Künste Berlin) presented the first preliminary results of their privacy icons research project focusing on the principle of purpose limitation. According to these results, a major problem of transparency measures is that data controllers specify their processing purposes in a too broad way. From the perspective of users, these broad purposes do not limit the later use of data so that users fear all kinds of risks. The research project therefore seeks to re-specify – together with data subjects, data protection authorities as well as data controllers – typical processing purposes that will indicate more clearly, which future use is covered by a purpose, and which not. Only on this basis, it will be possible to design corresponding privacy icons.
Rebekka Weiß illustrated the icon design journey initiated at the Bitkom. She stressed the difficulty of creating an icon set that could be applied across domains and on digital, as well as on physical products. She also described the Bitkom’s hesitance in releasing the icon set without further guidance by relevant authorities. Then, Régis Chatellier presented the mission of the LINC, the innovation and foresight laboratory of the French data protection authority (CNIL). The lab focuses on building UX design best practices for digital services in compliance with data protection and transparency requirements. He stressed the importance of working collaboratively among lawyers and designers and the efforts of CNIL in this respect, like the public platform “données et design”. Lastly, Anna Morgan (Irish Data Protection Commission), gave an overview of the growing number of transparency-related investigations into multinational companies led by the Irish authority. She highlighted how users frequently lack the necessary knowledge to understand how data processing works. She also warned against considering the icons a panacea to any transparency issue – quote that we, as PIF, entirely support.
What have we learned and how can we move forward? Adopting delegated acts in this respects does not appear to be a pressing need for the EC, while the EDPB has not promised a Guidelines on icons among its 2020s’ objectives. In order to fuel their actions, the outcomes of evidence-based interdisciplinary research are of utmost importance: this is why our international consortium of experts and institutions will continue to work collaboratively and disseminate results with the goal of exchanging best practices and comparing findings on data protection icons. Companies and other actors in EU value icons as promising transparency-enhancing means: but without any guidance or any evidence of their efficacy, it will be hard to implement them and impose their widespread adoption.
Stay tuned: a video-recording of the discussion will be online soon!