DATE DOWNLOADED: Sat Feb 5 21:08:47 2022

SOURCE: Content Downloaded from HeinOnline

Citations:

Bluebook 21st ed.

Maria Mitjans Serveto, Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems, 6 EUR. DATA PROT. L. REV. 593
(2020).

ALWD 7th ed.

Maria Mitjans Serveto, Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems, 6 Eur. Data Prot. L. Rev. 593
(2020).

APA 7th ed.

Serveto, M. (2020). Exercising GDPR Data Subjects' Rights: Empirical Research on the
Right to Explanation of News Recommender Systems. European Data Protection Law Review
(EDPL), 6(4), 593-601.

Chicago 17th ed.

Maria Mitjans Serveto, "Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems," European Data Protection Law
Review (EDPL) 6, no. 4 (2020): 593-601

McGill Guide 9th ed.

Maria Mitjans Serveto, "Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems" (2020) 6:4 Eur Data Prot L Rev
593.

AGLC 4th ed.

Maria Mitjans Serveto, 'Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems' (2020) 6 European Data
Protection Law Review (EDPL) 593.

MLA 8th ed.

Serveto, Maria Mitjans. "Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems." European Data Protection Law
Review (EDPL), vol. 6, no. 4, 2020, p. 593-601. HeinOnline.

OSCOLA 4th ed.

Maria Mitjans Serveto, 'Exercising GDPR Data Subjects' Rights: Empirical Research on
the Right to Explanation of News Recommender Systems' (2020) 6 Eur Data Prot L Rev
593

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
EDPL 412020 Reports |593

Practitioner's Corner

Exercising GDPR Data Subjects' Rights: Empirical Research on the

Right to Explanation of News Recommender Systems
Maria Mitjans Serveto*

1. Empirical Research on the Right to ceived when data subjects actually exercise this right
Explanation towards online service providers.3 Enforcement of
rights as an empowerment tool of users is of utmost
One of the important data subjects' rights in the Gen- importance and therefore, it is crucial to critically as-
eral Data Protection Regulation (GDPR)1 concerns be- sess the actual compliance (or not) of data subjects'
ing informed about data processing activities on re- rights, in order to propose recommendations and open
quest. Namely, articles 13 (2) (f), 14 (2) (g) and 15 (1) the debate to measures of improvement or, even ques-
(h), read together with article 22 GDPR, form a set of tioning whether the individual enforcement can be
provisions that grant data subjects a right to receive seen as an effective measure to challenge the decisions
information about the existence of automated deci- taken by automated decision making processes.4
sion-making, including profiling, referred to in arti- This report aims at filling the gap of lack of sub-
cle 22 (1) and (4) and, at least in those cases, mean- stantial empirical evidence on exercising data sub-
ingful information about the logic involved, as well jects' rights. It does so by exemplifying it for a spe-
as the significance and the envisaged consequences cific area, the right to explanation concerning the use
of such processing for the data subject. of news recommender systems in the context of news
This right has been named by scholars as 'the right curation. The report is based on an empirical research
to explanation' and has sparked an important debate project undertaken between 2018 and 2019, when
about its existence and scope.2 However, there is a lack forty-three online service providers received requests
of empirical research focused in the information re- with the purpose of obtaining further information
on how the personalisation of the news recom-
mender system worked, as well as testing the knowl-
DOI: 1O.21552/edpl/2020/4/1 7 edge that companies have about this right and see-
Maria Mitjans Serveto, Legal Programme Officer at European ing if their approach complied with the GDPR. The
Commission. For correspondence: <Maria.MITJANS-SERVE-
TO@ec.europa.eu.>.
research outcome allows a critical assessment of the
1 Regulation (EU) 2016/679 of the European Parliament and of the
empirical research findings, in order to classify in a
Council of 27 April 2016 on the protection of natural persons systematic way, the pitfalls and shortcomings en-
with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC, OJ L countered and to open the debate of how to improve
119 (2016)1-88. the compliance of this right.
2 Sandra Wachter, Brent Mittelstadt and Luciano Floridi, 'Why a
Right to Explanation of Automated Decision-Making does not
Exist in the General Data Protection Regulation' (2017) 7 Interna-
tional Data Privacy Law 2, 76-99; Gianclaudio Malgieri and II. Methodology of the Empirical Study
Giovanni Comand6, 'Why a Right to Legibility of Automated
Decision-Making Exists in the General Data Protection Regula-
tion' (2017) 7 International Data Privacy Law 4. The empirical research was conducted along the fol-
3 Initiatives in the enforcement of GDPR data subjects' rights has lowing subsequent steps.
been taken in the right of access, see Jef Ausloos and Pierre
Dewitte, 'Shattering One-Way Mirrors - Data Subject Access
Rights in Practice' (2018) 8 International Data Privacy Law 1.

4 In this regard, see Jef Ausloos, Pierre Dewitte, David Geerts, 1. Mapping of Online Service Providers
Peggy Valcke and Bieke Zaman, 'Algorithmic Transparency and
Accountability in Practice' (2018) <https://uploads-ssl.webflow
.com/5a2007a24a11ce000164d272/5ac883392c10dIbaaa4358f2 First, a representative sample of 43 online service
_AlgorithmicTransparencyandAccountabil ityinPractice
_CameraReady.pdf> accessed 8 December 2020. providers relying on news recommender systems was
594 Reports EDPL 412020

identified and classified in three categories: first-par- content was sent to the providers requesting an ex-
ty content providers' (53% of the 43 providers), news planation of their news recommender system in or-
aggregators 6 (28%) or social media providers7 (19%). der to obtain more concrete information.
These three categories respond to the rationale of hav-
ing the complete picture of the actual landscape of [DATE]
the online media sector: from traditional online news- To the data protection officer of [ENTER COMPA-
papers, to news aggregators and other platforms used NY NAME],
for receiving information such as social media plat-
forms. The goal in the selection was a balanced mix Hi,
between national, EU and international providers in- My name is [NAME] and I am a registered user of
cluding both big players but also small providers. [COMPANY NAME] (username:XXX). As I under-
stand it, you select and present the content on your
platform/website/app in different ways depending
2. Registering and Use of the Service on a number of parameters.Even if only partially,
the selection and presentation of content appears
Once the service providers were identified, the to be targeted to me, based on my personalprofile.
project team members registered and started using With this in mind, I would like to exercise my rights
the services at least twice a week for a minimum of under the general data protection regulation
five minutes. The use consisted of browsing, clicking (GDPR) and obtain further clarification on your
and reading news content and thereby creating a nor- news recommendersystem. I have read your priva-
mal interaction with the platform and went on for cy policy and would like to obtain more concrete
around three months. In this phase, empirical evi- and specific information relevant to my situation
dence was gathered concerning which information in particular. How exactly are you personalising
was necessary to create an account or what other op- your content delivery/presentationto me specifical-
tional categories of personal data were provided dur- ly?
ing the registration process as well as the informa-
tion provided by the controller in the registration and Thank you very much
use regarding data protection.
Best wishes,

3. Assessment of the Privacy Policy The research team noted date, medium used to
send the request and ease with which the initial re-
The privacy policies of the providers used by the team quest could be filed in order to have evidence about
were analysed concerning the level of explanation the compliance with the 'easily accessible' criteria of
present ex ante and in light of the possibility to ob- the GDPR.
tain more details ex post. The goal in that phase was The last phase of the empirical study was the fol-
to analyse if controllers were in compliance with ar- low-up of the initial request in case no satisfactory
ticles 12 to 14 GDPR and if the information was pro- answer was received. It lasted for two months in
vided in a concise, transparent, intelligible and easily which the goal was to obtain as much information as
accessible form, using clear and plain language. Para- possible regarding the right of explanation. In this
meters assessed included the ease to find the privacy
policy, the length of it, the information contained and
if the privacy policy associated each processing oper-
5 First-party content providers defined as an organization that
ation with one or more purposes and a legal basis. supplies information, which the organisation itself has created, for
use on a website.
6 News aggregators defined as client software or a web application,
which aggregates syndicated web content such as online newspa-
4. Initial Request pers, blogs, podcasts, and video blogs (vlogs) in one location for
easy viewing.

After the three month testing period, a first request 7 Social media defined as websites and applications that enable
users to create and share content or to participate in social net-
(and where applicable reminders) with the following working.
EDPL 412020 Reports |595

period the providers were confronted more directly again without providing further details. We also de-
with the relevant GDPR provisions including point- tected extended practices of providers asking for con-
ing out their accountability and requirement to sent in an unspecific way: The same tick box was
demonstrate compliance, as can be seen from the used to accept terms and conditions, privacy policy
wording of the request below. The information ob- and cookie policy all in once, which does not fulfil
tained as well as the difficulties and obstacles found the consent requirements of the GDPR as further de-
in the process were collected for the purpose of hav- veloped in the Guidelines on Consent of Article 29
ing as complete empirical information as possible. WP.9 Some providers did not even require a specif-
ic checking of a box, but just by clicking the button
'follow' all conditions were deemed to have been ac-
III. Evaluation of the Results of the cepted which, again, is in non-compliance of the
Empirical Study GDPR.

In the evaluation all the data gathered in the differ-

ent phases of the study was analysed in order to reach 2. Observations Concerning Assessment
a structured view of key findings. of the Privacy Policies

a. Structure-based Assessment
1. Observations Concerning Registering
and Using the Service First, general facts to determine compliance with the
principles of transparency and easily accessible in-
In this phase, compliance with GDPR principles such formation in a concise and transparent manner were
as privacy by design and by default or fairness and collected. In judging the ease to find the privacy pol-
transparency of the processing as well as the basis of icy in the platform (website, app, etc.), the number
processing were in the focus. of clicks to go from the homepage to the privacy pol-
Almost all of the 43 providers (98%) asked for an icy were counted.10 For 56% of providers it took one
email address to register and 56% asked for the full click to go to the privacy policy, meaning that it was
name while 30% requested a username and a minor- already visible from the homepage, although some
ity of providers asked for other information (phone ways to show it were not immediately straightfor-
number, birth date or gender). Some of the fields to ward and could be difficult to localize (for example,
be completed can be regarded as excessive according if the link was in a very faint colour, almost imper-
to the data minimisation principle and should be re- ceptible). For 33% of providers, it took two clicks to
vised to ask only for the data strictly necessary for find the privacy policy and, otherwise (ii%) three
the registration process. clicks or more. The team concluded in a self-assess-
In this early phase, we detected some providers ment that in three quarters of the cases it was easy
asking for consent in order to personalise the con- or very easy to find and in 7% of providers very dif-
tent while the explanation provided then was very ficult. In 16% of the cases the privacy policy docu-
limited, only stating that the recommendations will ment had been embedded into another document.
be based on 'your interaction' with no further details. Concerning the number of words 42% contained
Other providers asked to disclose the age in order to between 2.ooo and 3.999 words and only 9% less than
influence the content that was going to be offered, 2.000 words. 26% had a privacy policy with more
than 6.ooo words, and of those 3% even more than
10.000 words. Overall, the majority of providers are

in the range of 2.000 to 6.ooo words.

8 Art 5.1 c) GDPR.
9 Art 29 Working Party, Guidelines on consent under Regulation
2016/679, last revised on 10 April 2018, WP259 rev.01. b. Content-based Assessment
10 For example, from the homepage. Click/tap 1: Terms and Condi-
tions, Click/tap 2: Privacy Policy. Secondly, the content of the privacy policies was
11 The study took the following approach: to take the most compre-
hensive document in case that the privacy policy was layered and
checked for compliance with articles 12 to 14 GDPR.
add the cookies policy into the total. It is worth noting that none of the providers com-
596 I Reports EDPL 412020

Tl the data protecti-n officer - [FR -| aF N h-

Hi

'y name -Is[,ME and 'lam a registered user -f r--name

First fal, I wou'd le to thank you for your reply.

Unfortunatel, your repy dues not nclude al the formation

-. i requested As there see-ms to he sern uncertainty as to the
scopeof my request, have tnedtospecfyas clearyas possible all ofthemiformaton would le you to gie me. Itwould be
particularly helpfu for the both of us, if you cud align the structure of your responset tihe lst belo.

Based on Article 5 GDPR 1read together with Article 12 and 22 I would 'ike to obta-n

1. A held and/or undergong procesig isa commonly used electron- form Articl 1513
copy of all my persoal data

)
Please note that thi might also -nclude any audioisua material feg. oce-recordigs or pictures and is not
necessarl limited to the information contained in yor customer database nd/ar the nformation you make
avalal e tnrough the manage my profie' functionalty.
2. Confirmation as to whether or n-ot you are processing anye special categories of personal data, also cilied sensitive
data' about me Icf. Artie ). and if so a detailed ist of that data.
3 If any data was net colected, obseved or iferred fr-r me direct precise inforntio about the source of that
data, ncudng the name and contact eman of the data controleris) i question 'from whic source the persona
data originate", Artice 14(2|f)/5(1)(g)(
4 If these data have beenor wi! be disclsed to any third parties, please name these third parties along wtho ontact
detalsin accordance with Art:ie c) P-ease notethat
^.1S the European data protectn regulators have stated that
by defaut ,controllers should name precise recip ent and not categories of recipents If you do choose to only
name categories youmust justify why this sfair, and be specfi i. namigthe type of recient i.e. by reference
to the actities it carries out) the industry sector and sub-sector and the location of the recipients". Artice 29
Working Party Guidelines on Transparency WP2EG rev l, pSI).
5. A purposes ofthe processig for which ah categcry of personal data collected are ntended, as wel as the lawfui
ground (cf Art.6( for each specific purpose For al uses of agtimate interests plase explai what those

-
interests are Artice 14(2b) and how you conadar your nterestato override mine.
S. Confirmaton as to whether or n-t you consider yourself making automated decisons w.thin the meaning of Artice
22, GDFR(. If the answer is yes p-ease provide meanngfu information -bout the lgic ivoled as wel as te
dgnfi-cance and the envisaged consequencesof such processingfor me in part:ul(r Artice 15(h(
7 Confirmation on h-o long each category of persona data is stored, or the crteria used to make this dec.son, in
a.cordance :ith the storage lmitation priiple and Artice 1Std)
E Confirmaton on where my personal data is phy'ay stored inudg backup) and at the very least whether it has
exted the EL at any stage (if so please also detai the legal grounds and safeguardsfor such data transfers) If you
make use of cloud-servces, please prode me wth detailedaformation acut where their servers are leated and
the deta.il about your data processing arrangement with these providers.
9 Detals on the security measures ycu undertok to safeguard my personal data (includins, for eampe, encryption,
access restrctions, data rmmisation strat-egi s storage methods, etc..
1 Confirrmatin as to wat data subject rghts youcond-er i have vis -syou and how you wauld accommodate them
1 Confirmation on whether or ot at any stage, you have recommended content to me an the -sis of my personal
data.
. Euplein the logic behind your news -content-recommendation system asappled to men particular For e-ample
o What par of the -cotent I consumed as persanalsed or recommended on the basi o'f ry prof:i
o A comprehense lit of conrerte (categories of) personal data involved in the reccomender -:ystem (as
appl:edo me specificalylmere:y giVig examples of data that are beig used to that end is not sufficient)
o Why the respective [categories of) personl data were considered relevant for th-e recomender system
o The weight of the different categores of personal data feeding the recommender system
o Details a how your recommender system was des gned, without havin to give trade secrets or IP
protected info-rmtion (e. bakground of popl-e -invoved is it an ongoing proaess, at
o What priorties have godedof - fthe recommender system
Thank you very much.

Best wishes,

Follow-up request sent to the providers after the first initialrequest

plied with all the information that needs to be placed when it was based on consent, 33% of providers did
in the privacy policy. When the processing was based not mention the right to withdraw consent at any
on legitimate interests by the controller or by a third time. Another important factor is the right to lodge
party, 30% of controllers had not specified the legit- a complaint, which 30% did not mention in their pri-
imate interest that they were pursuing. Similarl, vacy policy. The percentage with a lack of informa-
EDPL 412020 Reports |597

tion is worst where the data was not obtained direct- follow) on and off our Products.
ly from the data subject: only 40% mentioned the
categories corresponding to that data and just 53% The explicit denial or confirmation of the exis-
identified the source from where the data originat- tence of automated decision-making was different:
ed. 60% of providers did not mention anything, 35%
Specifically, the information provided was as fol- recognised the existence of it. Examples of the for-
lows: for processing based on point (f) of Article 6(1), mulation of this characteristic were:
the legitimate interests pursued by the controller or
by a third party were mentioned in 70% of the cas- Computer algorithms select what you see in ... , ex-
es; for details on potential data transfers to third cept as noted. The algorithmsdetermine which stories,
countries were mentioned in 77% of the cases, and images, and videos show, and in what order.
the percentage went down for the categories of per-
sonal data that have not been obtained directly from This may include using automated systems to de-
the data subject, only metioned in 40% of the cases. tect security and safety issues. We may use automat-
In terms of data subjects' rights, we can see a sig- ed processes to help make advertising more relevant
nificant difference between the numbers of to you.
providers mentioning the rights already provided for
in Directive 9 5 /46/EC (right to access (93 %), rectifi- 86% of providers did not mention anything as to
cation (93%), erasure (95%) and object (84%)) which whether news recommender systems constitute au-
almost all of the providers mentioned, compared to tomated decision-making, only 12% explicitly recog-
the (new) rights to data portability or restriction of nised this, while one provider denied it. Examples
processing which were mentioned by 74% of were:
providers. Compared to that there is a dramatic dif-
ference concerning the right not to be subject to au- ... collects and stores personal data about its users
tomated decision-making, including profiling, to customize reading. This includes automated deci-
which was only mentioned in 12% of cases. None of sion-making to promote content tailored to the pref-
the providers mentioned the right to obtain mean- erences and interests indicated by the user, and to
ingful information about the logic involved, as well their browsing history and network interactions.
as the significance and the envisaged consequences
of automated decision-making for data subjects. The (i) Right to not to be subject to automated decision-
right to obtain a human intervention, to express your making where that would have a significanteffect on
point of view or to contest a decision was only men- you. We do not in fact engage in such activities, so this
tioned by one of the providers that refered to a rightwill not, in practice, be relevant in the context of
guichet automatique where it was possible to state your use of our sites.
one's opinion, contest and require human interven-
tion. A part of the assessment was whether the logic in-
Irrespective of this lack of general information volved was made public by the providers. Only few
about the right not to be subject to an automated de- provided information on that, examples are high-
cision-making, the privacy policies explicitly recog- lighted here:
nised the use of a news recommender system (for ex-
ample, mentioning the fact that news content is dy- That Data Subjects are sorted into different groups
namically arranged on the basis of certain parame- for the purposes of the news recommender system as
ters) in 74% of the cases. An example of the formu- well as two examples of these groups. (e.g.female 18-25,
lation of this was: interest in travel and male 30-45, interest in tennis).
These groups will receive different content and ads.
We use the informationwe have to deliver ourProd-
ucts, including to personalizefeatures and content (in- OurServices allow you to stay informed aboutnews,
cluding your News Feed, ... Feed, ... Stories and ads) events and ideas regarding professional topics you
and make suggestionsforyou (such as groupsorevents care about, and from professionals you respect. Our
you may be interested in or topics you may want to Services also allow you to improve your professional
598 I Reports EDPL 412020

skills or learnnew ones. We use the datawe have about b. The Obstacles Raised by Providers
you (e.g., data you provide, data we collectfrom your
engagementwith our Services and inferenceswe make Once the first non-automated answer was received,
from the data we have about you), to recommend rel- we evaluated if obstacles before giving the reply were
evant content and conversations on our Services, sug- introduced by the providers. 44% raised at least one,
gest skills you may have to add to your profile and ten providers requested a proof of identity, five in-
skills that you might need to pursue your next oppor formed that they needed extra time to process the re-
tunity. So, ifyou let us know that you are interestedin quest and three refused to act . The providers that re-
a new skill (e.g., by watching a learning video), we will fused raised the following reasons: the web service
use this information to personalize content in your did not target EU visitors and therefore GDPR would
feed, suggest that you follow certain members on our not apply, and when we answered explaining the ter-
site, or watch related learning content to help you to- ritorial scope of the GDPR, the provider still refused
wards that new skill. to act stating that it was a small provider and they
did not have the resources to answer the question;
another provider stated that they did not hold our
3. Observations Concerning Interaction data and referred to another entity; the third
with the Online Service Provider provider, after sending the ID, decided to close the
inquiry stating that the petition was exceeding arti-
Concerning the actual interaction with the different cle 15 GDPR and therefore it was not appropriate to
providers, we analysed different practicalities of ex- comply with it.
ercising the right and the substantive explanations
received in order to analyse compliance and quality c. The Substantive Content of Explanations
of the responses.
Assessing the substantive content of the answers, we
a. Practicalities When Interacting with the tried to gather as much relevant information as pos-
Providers sible regarding the logic involved, the significance
and the envisaged consequences of the news recom-
It is of utmost importance for the exercising of the mender system for data subjects. We found out that
right that the providers actually respond in the ade- even upon request, 30% of controllers did not pro-
quate timeframe fixed in the GDPR. 21% of the vide any information regarding that aspect and only
providers had not provided any non-automated an- 56% of providers supply some data. Regarding the
swer by the time the study was closed after two compliance with article 15 GDPR, none of the con-
months of interaction. 42% responded at least with trollers provided all the information listed in the ar-
the first non-automated answer in a reasonable time- ticle. The team concluded that the lack of complete
frame between the same day and up to 19 days, 28% information available in the case of all providers is
of providers required 30 to 59 days to deliver a first worrying: specifically, only 16% provided some in-
non-automated answer. In 56% of cases reminders formation about the purposes for which personal da-
had to be sent to receive a non-automated answer, ta is processed and the right to lodge a complaint to
13% of those cases required more than four re- supervisory authorities; for the recipients or cate-
minders. This calls the effectiveness of the exercise gories of recipients to you're your personal data have
of data subjects' rights into question. been or will be disclosed it was provided only in 23%
The days between the first non-automated answer of the cases and in case of transfers to third coun-
and the first substantive answer and between that tries, information about appropriate safeguards was
and the final answer were also counted. 28% of provided in 21% of the cases.
providers required from 30 to 59 days to provide the Common practices among providers was to sim-
first substantive answer. Regarding the final answer, ply refer to the privacy policy, providing a link to that
only 16% of providers managed to issue a final sub- information without giving meaningful additional
stantive answer in less than 30 days. The majority of information, especially in the first non-automated
providers (58%) provided the answer in a period be- answer. The providers that tried to deliver a more
tween 30 and 59 days. complete information in some cases refered to the
EDPL 412020 Reports |599

type of filter used (e.g. collaborative filter) and ex- had a legal or similarly significant effect data subjects
plained that the recommendations were based on the or they considered that 'although our content profil-
consumption of the specific user and the consump- ing treatment involves automated decision-making,
tion habits of all users. Apart from these two vari- it does not in the sense of article 22 GDPR' without
ables, they mentioned 'a whole set of parameters that providing any further explanation of this conclusion.
help to adjust the result', without explaining these
parameters or weighing them. Other providers just
mentioned as parameters 'contextual' (news related IV. What Type of Explanation was
to the currently viewed) and 'personal' (news related Expected vs What Type of
to already viewed news), without going more in Explanation Was Obtained
depth into the logic involved.
In the case of 'big players' it could be observed that A series of problems can be identified based on the
the data subjects were 'flooded'with manylinks. This empirical findings above, which are mentioned and
results in an opposite effect of what GDPR rules try classified in order to establish a list of the most com-
to achieve, because users are not informed more, but mon and serious drawbacks.
actually less because of a lack of clear links or under
standable information. The parameters that could be
found in all those provided linkes were amongst oth- 1. Lack of Compliance with Consent
ers: types of videos viewed, apps on the device and Requirements
use of them, visited websites, anonymous identifiers
associated with the mobile device, previous interac- According to the GDPR, consent should be a clear af-
tions with the platform or ads, geographic location, firmative act, specific, informed and unambiguous.
age range, gender and video interactions. Another That could include ticking a box, but no silence, pre-
provider named factors such as personal connec- ticked boxes or inactivity.12 If consent is not correct-
tions, preferences, interests and activities based on ly collected, then the processing cannot be regarded
the data collected and learnt from the user and oth- as lawful according to article 6 GDPR. Unfortunate-
er parties as well as location information. However, ly, this is the case in many of the providers that were
no information was given about the logic involved assessed. We detected several malpractices leading
or the significance and envisaged consequences of to an invalid consent. For example, we noticed that
such processing for the data subject. some providers still do not ask for a clear affirmative
In the follow up request, we explicitly asked for act while asking for consent or do not separate the
more information about the design of the news rec- different specific purposes for which consent is re-
ommender system and the priorities that guide that quired but they gather in the same box consent for
design or the way in which the system performs with one or multiple purposes. Even in the best practices
an incomplete profile. Vague and generic answers detected, consent was also problematic because of
were provided such as 'we prioritize the privacy of the requirement of an 'informed' consent as that in-
our users and therefore we use the minimum data to formation often was missing or there was very little
offer recommendations' or defences were raised information provided.
namely 'we cannot give information about the crite-
ria of prioritizing the content of our algorithms be-
cause it is part of our learning and allows us to im- 2. Lack of Implementation of Privacy by
prove the service in front of competitors'. Design and by Default Principles
Lastly, regarding the interpretation of article 22
GDPR, from the controllers that provided an answer Recital 78 GDPR name some examples of measures
and considered their news recommender system to that would meet the principles of data protection by
be an automated decision-making, none of them con- design and by default. Assessing the process of reg-
sidered that their personalised recommendations istering and the dashboard of some providers (if ex-
isting) we concluded that there is a lot of room for
improvement in this regard and there are still some
12 Recital 32 GDPR. malpractices like the lack of implementation of pri-
600 Reports EDPL 412020

vacy by default as we eg. found the permissions al- requesting additional information in most cases led
ready activated without the user having given ex- to an answer from which it was clear that providers
press consent. try to avoid the applicability of article 22 GDPR. For
this area, clear guidance will be required in order to
clarify the scope of the right and the term 'similarly
3. Lack of Complete Information in the significantly affects him or her'.
Privacy Policies

The majority of providers had privacy policies with 7. Unwillingness to Provide Information
a range of 2.000 to 6.ooo words. Nonetheless, none of on the algorithms' functioning
the providers provided a complete list of information
according to articles 13 and 14 GDPR. Some of this in- Although most providers simply ignored the ques-
formation is key to assess the lawfulness and purpos- tion or did not provide any answer, those that did
es of processing or the right to lodge a complaint. gave a general defence that the algorithm function
was part of their knowledge and a kind of business
secret.
4. Lack of Sufficient Information

It was shown that there is generally a lack of concise, 8. Lack of meaningful information
transparent, easily accessible using clear and plain
language information. Concerning eg. the number of If the aim of articles 13 to 15 GDPR is that data sub-
words it can be argued that the privacy policies are jects receive sufficient and meaningful information
not concise if a relevant percentage of providers us- that allows them to challenge and contest the auto-
es more than 6.ooo, some even more than io.ooo mated decision, this goal is certainly not achieved by
words. Similar difficulties concerned the accessibili- the information that was received by the 43 providers
ty. Easy accessibility and elements that facilitate the in the empirical study. There is no possibility to as-
understanding of the data processing for example, a sess or detect bias, discrimination or lack of plural-
privacy dashboard, a summary of the key elements, ism with the explanation we received.
graphics or visuals, are of utmost importance to raise
awareness and trust from data subjects which should
also be appreciated accordingly by providers. 9. Lack of Harmonized and Structured
Response
5. Delay in Providing a Response Even though the design of the empirical study fol-
lowed a structured initial request and follow-up re-
One of the main obstacles for the data subjects when quest to facilitate the response of providers, the re-
exercising their rights was the lack of response of sponses were very diverse and did not follow a com-
many providers or the unjustified delay, which can mon structure. In order to raise awareness and em-
lead to data subjects desisting from their petition. power data subjects' rights, the different sectors
would have to work on a common approach that help
users to receive similarly structured responses allow-
6. Lack of Awareness of What ing them to compare, become more aware of the pro-
Information is Required cessing of their personal data and purposes for it as
well as compliance of providers with the GDPR.
Identifying shortcomings that specifically affect the
right to explanation, the empirical findings support-
ed the research team's impression that the right to V. Conclusion
explanation was practically unknown. Providers do
not know what information needs to be provided and The object of the project reported here was to analyse
limit it to vague and general explanations. Moreover, whether online service providers complied with the
EDPL 412020 Reports I 601

GDPR provisions concerning the right to explana- rect the malpractices detected, rising awareness
tion. The aim was to confront the providers with the amongst users as data subjects and encouraging good
request of the right to explanation of their news rec- practices from data controllers.
ommender system in order to obtain more concrete
information as stated in articles 13 (2) (f), 14 (2) (g) Acknowledgement: This paper is based on the
and 15 (1) (h) GDPR, read together with article 22 master thesis defended as part of the final examina-
GDPR tion for the advanced master of Intellectual Proper-
The results of the empirical research revealed the ty & ICT Law done at KU Leuven (cum laude, 2019).
lack of awareness and compliance with the right to The empirical study involved four KU Leuven stu-
explanation, the lack of implementation of privacy dents within the advanced master of intellectual
by design and by default solutions, the lack of mean- Property and ICT Law (Eliot Sanam, Nikolaos Ioan-
ingful information received and the lack of aware- nidis, Wannes Ooms and the author of this report)
ness of what information was required, as well as, and a Researcher from the CiTiP (Pierre Dewitte) and
general shortcomings that data subjects encounter took place from 15 th November 2018 to 3 oth April
when exercising their rights. That led us to identify 2019. The thesis was awarded the first prize of the

the issues detected and expose the great differences VII Data Protection Research Award granted by the
that a user would find between the 'theoretical' rights Basque Data Protection Authority (Spain). The infor-
that the GDPR established and the reality when an mation and views set out in this article correspond
individual wants to exercise these rights. In order to to the ones of the author and do not necessarily re-
reach a more solid framework that helps building flect the official opinion of the European Commis-
trust amongst users, it is important to work to cor sion.