Automating the Evaluation of Privacy Policies using Artificial Intelligence

11 Jul 2018

Researchers from the European University Institute in Florence in collaboration with The European Consumer Organisation (BEUC), created a software called ‘Claudette’, a research project aiming at automation of personal data and consumer law enforcement using artificial intelligence (machine learning). The program has been used to examine the privacy policies of 14 major tech-businesses: Google, Facebook - including Instagram, Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB,, Skyscanner, Netflix, Steam, and Epic Games. The preliminary results of the study, conducted in June, one month after the GDPR took effect, showed that a third of world’s largest technology companies’ clauses were ‘potentially problematic’ or contained ‘insufficient information’. 11 percent of the policy’s sentences used have unclear language. The report does not point out which companies’ policies violated which provisions of the law, but shows only aggregated findings for all of the 14 companies. The research outlined the General Data Protection Regulation (GDPR) requirements that privacy policy should meet: comprehensive information, clear language, fair processing, as well as the ways in which these documents can be unlawful: if required information is insufficient, language unclear, or potentially unfair processing indicated. The media reports, Monique Goyens, director general of BEUC, said the research was ‘very concerning as many privacy policies may not meet the standard of the law’, urging EU regulators to look at the possible violations the researchers spotted. The Alphabet’s Google spokesperson stated that the firm has updated its privacy policy and uses clear and plain language. The Amazon’s spokesperson said its policies are compliant with the GDPR, and that users of its Alexa service are in control of their data. Facebook did not respond in time for publication. ‘The experiments we conducted on these documents, using various machine learning techniques, lead us to the conclusion that this task can be, to a significant degree, realized by computers, if a sufficiently large data set is created.’, sites the report.

Explore the issues

Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.


The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee


GIP Digital Watch is operated by

Scroll to Top