Abstract
The aim of the present article is to analyze how Personal Information Management Systems may alleviate current problems in assuring the principle of transparency enshrined in Art. 5 of the GDPR. For that purpose, existing challenges in collecting valid consent and providing transparent information will be identified. Subsequently an analysis of the current state of developments of PIMS found on the market will be conducted and their potential for mitigating these issues will be considered.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Acquisti, A., et al.: Nudges for privacy and security: understanding and assisting users’ choices online. ACM Comput. Surv. 50(3), 1– 41 (2017)
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33. IEEE (2005)
Acquisti, A., Grossklags, J.: What can behavioral economics teach us about privacy? In: Acquisti, A., Gritzalis, S., Lambrinoudakis, C., De Capitani di Vimercati, S. (eds.), Digital Privacy – Theories, Technologies and Practices, Auerbach Publications, Boca Raton, New York (2008)
Adjerid, I., Acquisti, A., Brandimarte, L., Loewenstein, G.: Sleights of privacy: framing, disclosures, and the limits of transparency. In: Symposium on Usable Privacy and Security (SOUPS) 2013, pp. 1–11, Association for Computing Machinery, New York (2013)
ADPC Homepage. https://www.dataprotectioncontrol.org/. Accessed 03 July 2023
Alpers, S., Betz, S., Fritsch, A., Oberweis, A., Schiefer, G., Wagner, M.: Citizen Empowerment by a Technical Approach for Privacy Enforcement. In: Proceedings of the 8th International Conference on Cloud Computing and Services Science (CLOSER 2018), vol. 1, pp. 589–595, SciTePress Funchal, Madeira, Portugal (2018)
Amazon, Privacy Notice. https://www.amazon.de/-/en/gp/help/customer/display.html?nodeId=GX7NJQ4ZB8MHFRNJ. Accessed 04 July 2023
Art. 29 WP, Guidelines on transparency under Regulation 2016/679, file:///C:/temp/20180413_article_29_wp_transparency_guidelines_7B894B16-B8B9-B044-ED400A6DBAA4FA60_51025.pdf. Accessed 29 June 2023
Austin, L.M., Lie, D., Sun, P., Spillette, R., D'Angelo, M., Wong, M.: Towards Dynamic Transparency: The AppTrans (Transparency for Android Applications) (2018). https://doi.org/10.2139/ssrn.3203601. Accessed 07 July 2023
Barth, S., de Jong, M.D.T.: The privacy paradox – Investigating discrepancies between expressed privacy concerns and actual online behaviour – a systematic literature review. Telemat. Inform. 34(7), 1038–1058 (2017)
Barth, S., de Jong, M.D.T., Junger, M., Hartel, P.H., Roppelt, J.C.: Putting the privacy paradox to the test: online privacy and security behaviours among users with technical knowledge, privacy awareness, and financial resources. Telemat. Inform. 41, 55–99. Elsevier (2019)
Beck, H.: Behavioral Economics, 1st edn. Springer Gabler, Wiesbaden (2014)
Brandimarte, L., Acquisti, A., Loewenstein, G.: Misplaced confidences: privacy and the control paradox. Soc. Psychol. Pers. Sci. 4(3), 340–347 (2013)
Bufalieri, L., Morgia, M.L., Mei, A., Stefa,, J.: GDPR: when the right to access personal data becomes a threat. In: IEEE International Conference on Web Services (ICWS), pp. 75–83. IEEE, Beijing (2020)
Bygrave, L.A, Tosoni, L.: Article 4(11). In: Kuner. C., et al. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 174–187, Oxford Academic (2020)
Calo, M.R.: Against notice scepticism in privacy (and elsewhere). Notre Dame Law Rev. 87(3), 1027–1072 (2013)
Camerer, C.F., Loewenstein, G.: Behavioral economics: past, present, future. In: Camerer, C.F., Loewenstein, G., Rabin, M. (eds.) Advances in Behavioral Economics, Princeton University Press, Princeton and Oxford (2004)
Chang, D., Krupka, E.I., Adar, E., Acquisti, A.: Engineering information disclosure: norm shaping designs. In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp. 587–597, Association for Computing Machinery, New York (2016)
Chapin, J., Coleman, G.: Optimistic bias: what you think, what you know, or whom you know? N. Am. J. Psychol. 11(1), 121–132 (2009)
Cho, H., Lee, J.-S., Chung, S.: Optimistic bias about online privacy risks: testing the moderating effects of perceived controllability and prior experience. Comput. Hum. Behav. 26(5), 987–995 (2010)
Choi, H., Park, J., Jung, Y.: The role of privacy fatigue in online privacy behaviour. Comput. Hum. Behav. 81, 42–51 (2018)
CitizenMe Homepage. https://www.citizenme.com/. Accessed 04 July 2023
Contissa, G., et al.: CLAUDETTE meets GDPR: automating the evaluation of privacy policies using artificial intelligence (2018). https://www.beuc.eu/sites/default/files/publications/beuc-x-2018-066_claudette_meets_gdpr_report.pdf. Accessed 07 July 2023
CozyCloud Homepage. https://cozy.io/en/features/#synchronise. Accessed 04 July 2023
Data Protection Authority for the German state of Baden-Württemberg. https://www.baden-wuerttemberg.datenschutz.de/muster-auskunftsanspruch-nach-art-15-ds-gvo/. Accessed 07 July 2023
datarequests.org. https://www.datarequests.org/blog/sample-letter-gdpr-access-request/. Accessed 07 July 2023
DataSwift Homepage. https://www.dataswift.io/for-individuals. Accessed 04 July 2023
DeleteMe Homepage. https://joindeleteme.com/. Accessed 04 July 2023
de Terwangne, C.: Article 5. In: Kuner. C., et al.: (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 309–320, Oxford Academic (2020)
Dienst, S.: Notion of Consent. In: Rücker, D., Kugler, T. (eds.) New European General Data Protection Regulation. A Practitioners Guide, C.H. Beck, Hart, Nomos, Baden-Baden (2018)
Digi.me Homepage. https://digi.me/sources/. Accessed 04 July 2023
Digi.me Homepage. https://digi.me/demo. Accessed 03 Feb 2023
Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR “right of access”. In: USENIX Symposium on Usable Privacy and Security (SOUPS) 2019, pp. 371–386, USENIX, Santa Clara (2019)
EDPB, Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 29 June 2023
EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 2.0. https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf. Accessed 07 Apr 2023
EDPS: Opinion 9/2016 on Personal Information Management Systems. https://edps.eu-ropa.eu/data-protection/our-work/publications/opinions/personal-information-manage-ment-systems_en. Accessed 24 Mar 2023
EDPS. https://edps.europa.eu/sites/edp/files/publication/17-04-25_model_letters_for_requesting_access_correction_deletion_to_the_vis_scg_en.pdf. Accessed 07 July 2023
Efroni, Z., Metzger, J., Mischau, L., Schirmbeck, M.: Privacy icons: a risk based approach to visualisation of data processing. Eur. Data Protect. Law Rev. 5(3), 352–366 (2019)
Endemann, B.: The rise and rise of Data Subject Access Requests (DSARs). https://www.lexology.com/library/detail.aspx?g=1c7cf8be-4558-4a92-88ab-847d0d64a582. Accessed 07 Apr 2023
European Commission: An emerging offer in personal information management systems. Current state of service offers and challenges. https://digital-strategy.ec.europa.eu/en/li-brary/emerging-offer-personal-information-management-services-current-state-service-of-fers-and-challenges. Accessed 24 Mar 2023
Gerber, N., Gerber, P., Volkamer, M.: Explaining the privacy paradox: a systematic review of literature investigating privacy attitude and behaviour. Comput. Secur. 77, 226–261. Elsevier (2018)
Giese, J., Stabauer, M.: Factors that influence cookie acceptance. In: Fui-Hoon Nah, F., Siau, K. (eds.) HCI in Business, Government and Organizations. Lecture Notes in Computer Science, vol. 13327, pp. 272–285. Springer, Heidelberg (2022)
Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: Symposium on Usable Privacy and Security (SOUPS) 2016, pp. 321–340. USENIX, Colorado (2016)
Gong, J., Zhang, Y., Yang, Z., Huang, Y., Feng, J., Zhang, W.: The framing effect in medical decision-making: a review of the literature. Psychol. Health Med. 18(6), 645–653 (2013)
Google Privacy Policy. https://policies.google.com/privacy?hl=en-US#infosharing. Accessed 04 July 2023
Hacker, P.: Datenprivatrecht, Moht Siebeck, Tübingen (2020)
Hansen, M.: Marrying transparency tools with user-controlled identity management. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) The Future of Identity in the Information Society. Privacy and Identity, vol. 262, pp. 199–220. IFIP— The International Federation for Information Processing, Springer, Boston (2008)
Harbach, M., Hettig, M., Weber, S., Smith, M.: Using personal examples to improve risk communication for security & privacy decisions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2647–2656, Association for Computing Machinery, New York (2014)
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium, pp. 531–548, USENIX Association, Baltimore (2018)
Haselton, M.G., Nettle, D., Andrews, P.W.: The evolution of cognitive bias. In: Buss, D.M. (ed.) The Handbook of Evolutionary Psychology, pp. 724–746. John Wiley & Sons Inc., Hoboken (2005)
Häuselmann, A.N.: Profiling and the GDPR: Harmonised Confusion, Jusletter 12. Februar 2018. https://jusletter.weblaw.ch/fr/dam/publicationsystem/articles/jusletter/2018/924/profiling-in-the-gdp_3b8e8a124f/Jusletter_profiling-in-the-gdp_3b8e8a124f_fr.pdf. Accessed 07 Apr 2023
Hensche Rechtsanwälte. https://www.hensche.de/musterschreiben-auskunftsverlangen-des-arbeitnehmers-gemaess-art-15-ds-gvo.html. Accessed 07 July 2023
Hoofnagle, C., King, J.: What Californians understand about privacy online (2008). https://doi.org/10.2139/ssrn.1262130. Accessed 29 Oct 2022
IAPP: Personal information management systems: a new era for individual privacy. https://iapp.org/news/a/personal-information-management-systems-a-new-era-for-individ-ual-privacy/. Accessed 24 Mar 2023
Janssen, H., Cobbe, J., Singh, J.: Personal information management systems: a user centric privacy Utopia? Internet Policy Rev. 9(4), 1–25 (2020)
Jentzsch, N., Preibusch, S., Harasser, A.: Study on monetising privacy. An economic model for pricing personal information, ENISA, Heraklion (2012)
Karegar, F., Pettersson, J.S., Fischer-Hübner, S.: The dilemma of user engagement in privacy notices: effects of interaction modes and habituation on user attention. ACM Trans. Priv. Secur. 23(1), 1–38. Association for Computing Machinery, New York (2020)
Kelley, P.G., Cesca, L., Bresee, J., Cranor, L.F.: Standardizing privacy notices: an online study of the nutrition label approach. In: CHI 2010: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1573 – 1582. Association for Computing Machinery, New York (2010)
Kahneman, D., Knetsch, J.L., Thaler, R.H.: Anomalies: the endowment effect, loss aversion, and status quo bias. J. Econ. Perspect. 5(1), 193–206 (1991)
Knijnenburg, B., Cherry, D.: Comics as a medium for privacy notices. In: Symposium on Usable Privacy and Security (SOUPS) 2016, pp. 321–340. USENIX, Colorado (2016)
Laibson, D.: Golden eggs and hyperbolic discounting. Q. J. Econ. 112(2), 443–478 (1997)
Mahieu, R.I.P., Asghari, H., van Eeten, M.: Collectively exercising the right of access: individual effort, societal effect. Internet Policy Rev. 7(3), 1–23 (2018)
Marshal, J.A.R., Trimmer, P.C., Houston, A.I., McNamara, J.M.: On evolutionary explanations of cognitive biases. Trends Ecol. Evol. 28(8), 469–473 (2013)
Masatlioglu, Y., Ok, E.O.: Rational choice with status quo bias. J. Econ. Theory 121(1), 1–29 (2005)
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. J. Law Policy Inf. Soc. 4(3), 543–568. Ohio State University (2008)
Meeco Homepage. https://www.meeco.me/platform. Accessed 09 Nov 2022
Metzger, M.J.: Effects of site, vendor, and consumer characteristics on web site trust and disclosure. Commun. Res. 33(3), 115–205. Sage Publications, Washington (2006)
Microsoft Privacy Statement. https://privacy.microsoft.com/en-us/privacystatement. Accessed 04 July 2023
Mine Homepage. https://www.saymine.com/. Accessed 04 July 2023
MyDex Homepage. https://mydex.org/. Accessed 04 Nov 2022
Mydex, Data Portability Whitepaper. https://mydex.org/resources/papers/Data_portability_white_paper/mydexcicdataportabilitywhitepaper2018-06.pdf. Accessed 04 July 2023
O’Donoghue, T., Rabin, M.: Choice and Procrastination. Quart. J. Econ. 116(1), 121–160 (2001)
One Trust Homepage. https://www.onetrust.com/products/privacy-rights-automation/?utm_source=google&utm_medium=cpc&utm_campaign=DACHOneTrustPrivacy&utm_content=DSARSAR&utm_term=dsartools&gclid=EAIaIQobChMI2ryXx7eC-gIVko1oCR3e-AwoEAAYAiAAEgJdwPD_BwE. Accessed 06 July 2013
OPERANDO Homepage. https://cordis.europa.eu/project/id/653704. Accessed 03 July 2023
Pałka, P., Lippi, M.: Big data analytics, online terms of service and privacy policies. In: Vogl, R. (ed.) Research Handbook in Big Data Law, pp. 115–134. Edward Elgar Publishing, Cheltenham, Northampton (2021)
PlusPrivacy Homepage. https://plusprivacy.com/. Accessed 03 July 2023
Pollach, I.: What’s wrong with online privacy policies? Commun. ACM 50(9), 103–108 (2007)
Privacy Check in App Store. https://chrome.google.com/webstore/detail/privacycheck/poobeppenopkcbjejfjenbiepifcbclg. Accessed 07 July 2023
Rechtsanwalt Harzewski. https://rechtsanwalt-harzewski.de/auskunft-nach-art-15-dsgvo/. Accessed 07 July 2023
Reidenberg, J.R., et al.: Disagreeable privacy policies: mismatches between meaning and users’ understanding. Berkeley Tech. Law J. 30(1), 39–88. University of California (2015)
Respected Homepage. https://www.respected.eu/. Accessed 03 July 2023
Revoke Homepage. https://revoke.com/. Accessed 06 Sept 2022
Rezaei, J.: Anchoring bias in eliciting attribute weights and values in multi-attribute decision-making. J. Decis. Syst. 30(1), 72–96. Taylor & Francis Group, London (2021)
Schaub, F., Balebako, R., Durity, A.L., Cranor, L.F.: A design space for effective privacy notices. In: Symposium on Usable Privacy and Security (SOUPS) 2015, pp. 1–17. USENIX, Colorado (2015)
Schneider, J., Härting, N.: Wird der Datenschutz nun endlich internettauglich? Warum der Entwurf einer Datenschutz-Grundverordnung enttäuscht, ZD 2(5), 199–203 (2012)
Schätzle, D.: Zum kopplungsverbot der datenschutz-grundverordnung - warum auch die dsgvo kein absolutes kopplungsverbot kennt. PinG 5, 203–208 (2017)
Sent, E-.M.: Rationality and bounded rationality: you can’t have one without the other. Eur. J. Hist. Econ. Thought 25(6), 1370–1386. Taylor & Francis Group (2018)
Simon, H.A.: Bounded Rationality. In: Eatwell, J., Milgate, M., Newman, P. (eds.), Utility and Probability, 1st edn, W.W. Nothon & Company, New York, London (1990)
Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto. S., Serna, J.: PrivacyGuide: towards an implementation of the EU GDPR on internet privacy policy evaluation. In: IWSPA 2018: Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, pp. 15–21. Association for Computing Machinery, New York (2018)
Thibault, J.: Evaluating the Impact of the GDPR’s Data Subject Rights on Businesses, Sanford School Master of Public Policy (MPP) Program Master’s Projects (2021)
Tian, X., Chen, L., Zhang, X.: The role of privacy fatigue in privacy paradox: a PSM and heterogeneity analysis. Appl. Sci. 12(19), 1–19 (2022)
Twitter Privacy Policy. https://twitter.com/en/privacy#twitter-privacy-1. Accessed 04 July 2023
Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_5
Usable Privacy Policy Project. https://usableprivacy.org/learn_more. Accessed 07 July 2023
Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz.: (Un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 973–990, Association for Computing Machinery, New York (2019)
Verbraucherzentrale Bundesverband: Neue Datenintermediäre: Anforderungen des vzvb an Personal Information Management Systems (PIMS) und Datentreuhänder. https://www.vzbv.de/sites/default/files/downloads/2020/04/06/20-02-19_vzbv-positionspa-pier_pims.pdf. Accessed 24 Mar 2023
Verbraucherzentrale. https://www.verbraucherzentrale.de/sites/default/files/2019-10/Auskunft_nach_Art._15_DSGVO.pdf. Accessed 07 July 2023
Voigt, P., von dem Bussche, A.: The EU General Data Protection Regulation (GDPR). A Practival Guide, 1st (edn.) C.H. Beck, München (2017)
Waldman, A.E.: Cognitive biases, dark patterns, and the ‘privacy paradox.’ Curr. Opin. Psychol. 31, 105–109 (2020)
Weinmann, M., Schneider, C., Brocke, J.V.: Digital nudging - guiding judgment and decision-making in digital choice environments. Bus. Inf. Syst. Eng. 58, 433–436 (2016)
Zikesch, P., Sörup, T.: Der Auskunftsanspruch nach Art. 15 DS-GVO. Reichweite und Begrenzung, Zeitschrift für Datenschutz 6, pp. 239–245 (2019)
Zanfir-Fortuna, G.: Article 14. In: Kuner, C., et al. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 434–448, Oxford Academic (2020)
Zimmeck, S., et al.: MAPS: scaling privacy compliance analysis to a million apps. Proc. Priv. Enhanc. Technol. 2019(3), 66–86. Sciendo (2019)
Zimmer, D.: Streamingplattformen im Datenschutz-Test: Wie transparent informieren Onlineanbieter von Musik und Videos ihre Kunden über die Verwendung ihrer Daten? AK Wien, Wien (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rochon, J. (2024). Enhancing Transparency Through Personal Information Management Systems: Current State of Service Offerings and Considerations for Further Advancements. In: Bieker, F., de Conca, S., Gruschka, N., Jensen, M., Schiering, I. (eds) Privacy and Identity Management. Sharing in a Digital World. Privacy and Identity 2023. IFIP Advances in Information and Communication Technology, vol 695. Springer, Cham. https://doi.org/10.1007/978-3-031-57978-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-57978-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57977-6
Online ISBN: 978-3-031-57978-3
eBook Packages: Computer ScienceComputer Science (R0)