What happens to my data? A novel approach to informing users of data processing practices
Citizens increasingly use the Internet to buy products or engage in interactions with others, both individuals and businesses. In doing so they invariably share (personal) data. While extensive data protection legislation exists in many countries around the world, citizens are not always aware (enough) of their rights and obligations with respect to sharing (personal) data. To remedy this gap, users ought to become better informed of companies’ data processing practices. In the past, various research groups have attempted to create tools to this end, for example through the use of icons or labels similar to those used in nutrition. However, none of these tools have gained extensive adoption, mostly because it turns out that capturing privacy legislation in simple, accessible graphics is a complicated task. Moreover, we believe that the tools that were developed so far do not align closely enough with the preferences and understanding of ordinary users, precisely because they are too ‘legalistic’.
In this paper we discuss a user study conducted to gain a better understanding of the kinds of information users would wish to receive with respect to companies’ data processing practices, and the form this information ought to take. On the basis of this user study we found a new approach to communicating this information, in which we return to the OECD’s Fair Information Principles, which formed the basis for (almost all) data protection legislation. We end the paper with a rudimentary proposal for an end user tool to be used on companies’ Web sites.