Whether shopping online, keeping on top of what’s happening in the world or booking their next trip, users have their personal dataprocessed each time they surf the Internet. The introduction of the GDPR – the General Data Protection Regulation – throughout the EU hasbrought with it a wide-ranging obligation for transparency, according to which data processors must inform data subjects about the processing of their data. Currently, this applies mostly to cookie warnings that appear when visiting a website. Professor Dr. Max von Grafenstein wants to provide orientation for users by means of easy-to-understand pictograms. Simone Harr spoke with the Professor of Digital Self-Determination (Einstein Center Digital Future / Berlin University of the Arts) about his new research project “Privacy Icons”.

What was the trigger for your research project?
The trigger was my being extremely annoyed with cookie banners: They really get on my nerves when I’m surfing the Internet and I don’t bother reading them anyway – and even if I do read them, they hardly tell me anything about the consequences that these cookies are going to have for me personally. In my eyes, this is a particularly vivid example of an unsuccessful implementation of the GDPR.

You are developing easy-to-understand icons that are intended to indicate that data is being processed and the extent to which this is happening. What do you hope to gain from the introduction of such pictograms?
These icons are supposed to inform data subjects (for instance, website users) of the extent and consequences of the processing of personal data – in other words its significance – and to do so in a particularly simple and intuitively understandable way. The icons are intended to supplement, not replace, the traditional text. So, if users want to know in detail what the icons mean or what’s going to happen to the data, they can still click on a text layer that describes all of this in greater detail. By the way, the GDPR even provides for such information to be machine-readable on a third level. This enables, among other things, the use of so-called privacy agents. These are technologies that pass on users’ privacy preferences to other technologies (such as websites) on behalf of users. Then users would no longer have to click on every privacy notice, as everything would be carried out automatically instead.

What do you see as the biggest challenge?
What makes this project particularly challenging is that we need to illustrate the complexity of data processing, and its associated risks, by means of intuitively understandable icons that users actually – that is, verifiably – understand.

Who are you working with?
For this project, we are working in our interdisciplinary research group “Digital Self-Determination”, which so far consists of legal experts as well as researchers specializing in the design of human-computer interaction. The question of how to implement the requirements of the GDPR in such a way that they are “effective” – meaning, among other things, the question of how to enable data subjects to foresee and control the risks of data processing – is therefore not a purely legal one, and can only be answered in conjunction with other research disciplines. If the effectiveness of data protection measures depends on the ability of those affected to apply them, then this is also an exciting task for usability and design researchers. We are also in close dialog with other research groups and representatives from industry across Europe who are researching this topic or who will be required, or even obliged, to use such privacy icons in the future. In this way, we ensure that the synergy effects are as great as possible.

You are actively involving ordinary citizens in the project. What do you expect from users?
For users, participation in the project is easy, but also exciting. In two-hour workshops, we initially discuss with them what risks they see in the processing of their data through certain technologies and how they would weigh these risks. In this regard, we also confront users with the risks perceived by the GDPR legislators themselves or by data-protection experts. This helps us researchers create a classification scheme for privacy risks that will ultimately be illustrated by the icons and understood by the user.

Can you describe how this cooperation with users actually works?
In order to ensure the effectiveness of the icons, users are directly involved in the research process of the project. To this end, and in close dialog with other research institutes in Europe, we will be holding several exploratory design workshops with interested users at the Berlin Open Lab of Berlin University of the Arts. These workshops will be conducted using various technologies. At a later stage, we will also design the actual icons together with the participants. In this way, users themselves are given the opportunity to participate actively in the research and to help shape the results.

What are the next steps in your research project?
The first workshops took place May 13 -15, 2019 at Berlin University of the Arts’ Berlin Open Lab. Here, together with the participants, we tested the research design of our workshop series using the example of language assistants and draw initial conclusions for the design of the privacy icons and the research process as a whole. This is our way of applying an agile and open method in our research and development

Further information and opportunities for participation can be found at www.privacy-icons.info