Tackling Compliance Deficits of Data-Protection Law with User Collaboration - A Feasibility Demonstration with Human Participants

In the recent past, there have been frequent reports on privacy violations by service providers on the Web. The providers are overstrained with the legal implications of processing personal data. Data-protection authorities in turn are overburdened with the enforcement of the regulations. Users themselves typically cannot identify those violations, due to missing expertise in data-protection law. In this paper we propose and evaluate CAPE (Collaborative Access to Privacy Enhancement), an approach that makes data-protection law accessible to all parties involved in the processing of personal information. To this end, we transform legal expertise on data protection into intuitive questions that anyone can answer. CAPE is 'Web 2.0', in the sense that individuals answer the questions they can, and they benefit from the answers of others. To identify violations, we compare the answers to answer patterns defined apriori that indicate a violation. The main innovation is the combination of Web 2.0 functionality with the structured approach (sequences of closed questions in particular) lawyers use to identify violations. In extensive user studies, we show that users can identify 81% of those violations legal experts find. Further, individuals answer our questions with a high degree of agreement, independent from their background knowledge.