pith. sign in

arxiv: 1906.12038 · v1 · pith:SCFM67CBnew · submitted 2019-06-28 · 💻 cs.CY

Analyzing GDPR Compliance Through the Lens of Privacy Policy

Jayashree Mohan , Melissa Wasserman , Vijay Chidambaram This is my paper

Pith reviewed 2026-05-25 13:59 UTC · model grok-4.3

classification 💻 cs.CY
keywords GDPRprivacy policiescloud servicescompliancedata protectionvulnerabilitiesbest practices
0
0 comments X

The pith

Privacy policies of many cloud services claiming GDPR compliance contain points that indicate potential non-compliance.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines the privacy policies of large-scale cloud services that claim to follow the EU's GDPR rules. It finds that these policies often lack clarity and conciseness, which is required for proper information sharing with users. The analysis flags specific issues called GDPR vulnerabilities across ten services. From this review the authors derive seven recommended practices for writing compliant policies. A reader would care because privacy policies are the primary channel through which companies must explain data handling to individuals under the law.

Core claim

The paper establishes that the privacy policy serves as the main medium of information dissemination between data controllers and users, and that many services claiming GDPR compliance today do not have clear and concise policies; instead their policies contain several points that potentially indicate non-compliance, termed GDPR vulnerabilities, which the authors identify in ten cloud services before proposing seven best practices for crafting GDPR privacy policies.

What carries the argument

The privacy policy itself, examined for clarity, conciseness, and specific points that signal potential GDPR non-compliance.

If this is right

  • Services must revise privacy policies to meet clarity and conciseness standards.
  • Specific sections in existing policies can be flagged as GDPR vulnerabilities.
  • Seven concrete best practices can guide the creation of compliant policies.
  • Companies claiming compliance should verify that their policies actually satisfy the identified requirements.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Regulators could use similar policy reviews as a low-cost way to prioritize audits of cloud providers.
  • Users might treat the presence of these vulnerabilities as a signal to seek alternative services with clearer policies.
  • The approach could extend to other data-protection laws beyond GDPR if the vulnerability criteria are adapted.
  • Future work might test whether adopting the seven practices actually reduces legal risk for companies.

Load-bearing premise

The authors' identification of specific points in the policies as indicating non-compliance is accurate and based on a valid interpretation of GDPR requirements.

What would settle it

A detailed legal review by GDPR experts that concludes the flagged points in the ten policies do not constitute non-compliance would show the identification method is incorrect.

read the original abstract

With the arrival of the European Union's General Data Protection Regulation (GDPR), several companies are making significant changes to their systems to achieve compliance. The changes range from modifying privacy policies to redesigning systems which process personal data. This work analyzes the privacy policies of large-scaled cloud services which seek to be GDPR compliant. The privacy policy is the main medium of information dissemination between the data controller and the users. We show that many services that claim compliance today do not have clear and concise privacy policies. We identify several points in the privacy policies which potentially indicate non-compliance; we term these GDPR vulnerabilities. We identify GDPR vulnerabilities in ten cloud services. Based on our analysis, we propose seven best practices for crafting GDPR privacy policies.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript analyzes privacy policies of ten large-scale cloud services claiming GDPR compliance. It argues that many such policies are neither clear nor concise, identifies specific points termed 'GDPR vulnerabilities' that indicate potential non-compliance, and proposes seven best practices for drafting GDPR-compliant privacy policies.

Significance. If the mapping from policy text to actual GDPR violations can be made explicit and reproducible, the work would usefully document concrete compliance gaps in cloud-service policies and supply actionable drafting guidance. The absence of selection criteria, decision rules, and article-level citations currently prevents the central claim from being evaluated or extended by others.

major comments (3)
  1. [Abstract] Abstract: The claim that 'many services that claim compliance today do not have clear and concise privacy policies' and that 'GDPR vulnerabilities' exist in ten services is stated without any description of service-selection criteria, policy-sampling method, or definition of what constitutes a vulnerability.
  2. [Analysis section] Analysis of the ten policies (main results section): No explicit mapping is supplied between each flagged policy passage and the specific GDPR article(s) it allegedly violates (e.g., Art. 5, 12, 13, or 30). The paper therefore does not distinguish mandatory requirements from recommendations, leaving the classification of services as non-compliant dependent on unstated interpretive judgment.
  3. [Methodology] Methodology (wherever described): The qualitative review supplies neither an inter-rater protocol nor decision criteria for labeling text as non-compliant, which is load-bearing for the reproducibility of the ten-service findings and the subsequent best-practice recommendations.
minor comments (1)
  1. [Abstract / Introduction] The term 'GDPR vulnerabilities' is introduced in the abstract without an operational definition; a short definitional paragraph early in the paper would improve clarity.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for these constructive comments, which correctly identify gaps in transparency and reproducibility. We will revise the manuscript to address each point explicitly, adding the missing details on selection, mappings, and criteria without altering the core findings.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The claim that 'many services that claim compliance today do not have clear and concise privacy policies' and that 'GDPR vulnerabilities' exist in ten services is stated without any description of service-selection criteria, policy-sampling method, or definition of what constitutes a vulnerability.

    Authors: We agree the abstract and introduction should state the selection criteria (top cloud providers by market share that publicly claimed GDPR compliance at the time of analysis) and sampling approach (latest publicly available English-language policies). We will also add an explicit definition of 'GDPR vulnerability' as a policy passage that appears inconsistent with the transparency or information requirements in Articles 5, 12, or 13. These additions will be made to the abstract, introduction, and a new methodology subsection. revision: yes

  2. Referee: [Analysis section] Analysis of the ten policies (main results section): No explicit mapping is supplied between each flagged policy passage and the specific GDPR article(s) it allegedly violates (e.g., Art. 5, 12, 13, or 30). The paper therefore does not distinguish mandatory requirements from recommendations, leaving the classification of services as non-compliant dependent on unstated interpretive judgment.

    Authors: The observation is accurate; the current text relies on implicit alignment with the GDPR articles. In revision we will insert a mapping table (or inline citations) for every flagged passage, linking it to the specific article(s) and noting whether the issue concerns a mandatory obligation or a recommendation. This will allow readers to assess the mappings independently and will clarify the distinction between compliance gaps and best-practice suggestions. revision: yes

  3. Referee: [Methodology] Methodology (wherever described): The qualitative review supplies neither an inter-rater protocol nor decision criteria for labeling text as non-compliant, which is load-bearing for the reproducibility of the ten-service findings and the subsequent best-practice recommendations.

    Authors: We accept that the methodology section is insufficiently detailed. We will expand it to document the decision criteria (e.g., failure to provide information in a concise, intelligible form per Art. 12, or omission of required elements per Art. 13) and describe the review process (independent reading by the authors followed by joint discussion of borderline cases). A formal multi-rater reliability study was not performed; we will therefore characterize the process as author consensus rather than claiming inter-rater statistics, while making the criteria explicit enough for others to replicate or critique. revision: partial

Circularity Check

0 steps flagged

No circularity: qualitative policy review rests on direct reading, not self-referential derivation

full rationale

The paper performs a manual qualitative review of ten privacy policies to flag potential GDPR issues and propose best practices. No equations, fitted parameters, or mathematical derivations exist. The central claims rest on the authors' interpretive judgments about policy text rather than any reduction of outputs to inputs by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatzes are invoked. The analysis is self-contained against external policy documents; any weakness lies in the absence of explicit legal mapping criteria, not in circular logic.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The claim rests on the domain assumption that privacy policies are the primary information channel under GDPR and that the authors can reliably flag non-compliance from text alone; the term 'GDPR vulnerabilities' is introduced without external validation.

axioms (1)
  • domain assumption GDPR requires privacy policies to be clear and concise (Article 12)
    Invoked implicitly when labeling policies as non-compliant.
invented entities (1)
  • GDPR vulnerabilities no independent evidence
    purpose: Term for points in policies that potentially indicate non-compliance
    New label coined by the paper; no independent evidence or falsifiable test provided in abstract.

pith-pipeline@v0.9.0 · 5647 in / 1127 out tokens · 40714 ms · 2026-05-25T13:59:10.805643+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages

  1. [1]

    https://www.apple.com/legal/privacy/en-ww/ (Accessed May 2019)

    Apple privacy policy. https://www.apple.com/legal/privacy/en-ww/ (Accessed May 2019)

    work page 2019

  2. [2]

    https://www.bloomberg.com/notices/ privacy/ (Accessed May 2019)

    Bloomberg privacy policy. https://www.bloomberg.com/notices/ privacy/ (Accessed May 2019)

    work page 2019

  3. [3]

    In The Verge (May 25 2018)

    Brandom, R.: Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR. In The Verge (May 25 2018)

    work page 2018

  4. [4]

    https://www.marketwatch.com/story/ how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26 (Accessed May 2019)

    Data breaches. https://www.marketwatch.com/story/ how-the-number-of-data-breaches-is-soaring-in-one-chart-2018-02-26 (Accessed May 2019)

    work page 2018

  5. [5]

    https://www.businessinsider.com/ deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11 (Accessed May 2019)

    Deloitte privacy survey. https://www.businessinsider.com/ deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11 (Accessed May 2019)

    work page 2017

  6. [6]

    In: USENIX OSDI (2014)

    Devecsery, D., Chow, M., Dou, X., Flinn, J., Chen, P.M.: Eidetic Systems. In: USENIX OSDI (2014)

    work page 2014

  7. [7]

    https://adexchanger.com/mobile/ drawbridge-exits-media-business-europe-gdpr-storms-castle/ (Accessed May 2019)

    Drawbridge shutdown. https://adexchanger.com/mobile/ drawbridge-exits-media-business-europe-gdpr-storms-castle/ (Accessed May 2019)

    work page 2019

  8. [8]

    https://www.edx.org/edx-privacy-policy (Accessed May 2019)

    edx privacy policy. https://www.edx.org/edx-privacy-policy (Accessed May 2019)

    work page 2019

  9. [9]

    https://www.facebook.com/notes/ mark-zuckerberg/a-privacy-focused-vision-for-social-networking/ 10156700570096634/ (Accessed May 2019)

    Facebook privacy future. https://www.facebook.com/notes/ mark-zuckerberg/a-privacy-focused-vision-for-social-networking/ 10156700570096634/ (Accessed May 2019)

    work page 2019

  10. [10]

    https://www.facebook.com/policy.php (Ac- cessed May 2019)

    Facebook data privacy policy. https://www.facebook.com/policy.php (Ac- cessed May 2019)

    work page 2019

  11. [11]

    https://s21.q4cdn.com/399680738/files/doc_ financials/2019/Q1/Q1-2019-Earnings-Presentation.pdf (Ac- cessed May 2019)

    Facebook users. https://s21.q4cdn.com/399680738/files/doc_ financials/2019/Q1/Q1-2019-Earnings-Presentation.pdf (Ac- cessed May 2019)

    work page arXiv 2019

  12. [12]

    Faloutsos, C., Ranganathan, M., Manolopoulos, Y.: Fast subsequence matching in time-series databases, vol. 23. ACM (1994)

    work page 1994

  13. [13]

    Industrial Management & Data Systems 106(5), 601–620 (2006)

    Flavián, C., Guinalíu, M.: Consumer trust, perceived security and privacy policy: three basic elements of loyalty to a web site. Industrial Management & Data Systems 106(5), 601–620 (2006)

    work page 2006

  14. [14]

    https://www.flybe.com/privacy-policy (Accessed May 2019)

    Flybe privacy policy. https://www.flybe.com/privacy-policy (Accessed May 2019)

    work page 2019

  15. [15]

    https://www.judiciary.senate.gov/imo/media/ doc/Layton%20Testimony1\.pdf (Accessed May 2019)

    Gaming shutdown. https://www.judiciary.senate.gov/imo/media/ doc/Layton%20Testimony1\.pdf (Accessed May 2019)

    work page 2019

  16. [16]

    https://www.dlapiper.com/en/uk/insights/ publications/2019/01/gdpr-data-breach-survey/ (Accessed May 2019)

    Gdpr /f_ines. https://www.dlapiper.com/en/uk/insights/ publications/2019/01/gdpr-data-breach-survey/ (Accessed May 2019)

    work page 2019

  17. [17]

    https://www.gstatic.com/policies/privacy/ pdf/20190122/f3294e95/\google_privacy_policy_en.pdf (Accessed May 2019)

    Google privacy policy. https://www.gstatic.com/policies/privacy/ pdf/20190122/f3294e95/\google_privacy_policy_en.pdf (Accessed May 2019)

    work page arXiv 2019

  18. [18]

    In: Proceedings of the 13th ACM conference on Computer and communications security

    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for /f_ine-grained ac- cess control of encrypted data. In: Proceedings of the 13th ACM conference on Computer and communications security. pp. 89–98. Acm (2006)

    work page 2006

  19. [19]

    In CNBC (Sep 7 2017) 12 J

    Haselton, T.: Credit reporting /f_irm equifax says data breach could potentially affect 143 million US consumers. In CNBC (Sep 7 2017) 12 J. Mohan et al

    work page 2017

  20. [20]

    https://www.apple.com/uk/legal/ internet-services/icloud/en/terms.html (Accessed May 2019)

    icloud privacy policy. https://www.apple.com/uk/legal/ internet-services/icloud/en/terms.html (Accessed May 2019)

    work page 2019

  21. [21]

    https://help.instagram.com/ 402411646841720 (Accessed May 2019)

    Instagram privacy policy. https://help.instagram.com/ 402411646841720 (Accessed May 2019)

    work page 2019

  22. [22]

    https://privacy.microsoft.com/en-us/ privacystatement?PrintView=true (Accessed May 2019)

    Microsoft privacy policy. https://privacy.microsoft.com/en-us/ privacystatement?PrintView=true (Accessed May 2019)

    work page 2019

  23. [23]

    https://www.onavo.com/privacy_policy (Accessed May 2019)

    Onavo privacy policy. https://www.onavo.com/privacy_policy (Accessed May 2019)

    work page 2019

  24. [24]

    https://en.wikipedia.org/wiki/Privacy_policy (Ac- cessed May 2019)

    Privacy policy. https://en.wikipedia.org/wiki/Privacy_policy (Ac- cessed May 2019)

    work page 2019

  25. [25]

    Official Journal of the European Union 59(1-88) (2016)

    Regulation, G.D.P.: Regulation (EU) 2016/679 of the European Parliament and of the Coun- cil of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46. Official Journal of the European Union 59(1-88) (2016)

    work page 2016

  26. [26]

    In: 11th USENIX Workshop on Hot Topics in Storage and File Systems (HotStorage 19)

    Shah, A., Banakar, V., Shastri, S., Wasserman, M., Chidambaram, V.: Analyzing the impact of GDPR on storage systems. In: 11th USENIX Workshop on Hot Topics in Storage and File Systems (HotStorage 19). USENIX Association, Renton, WA (2019), https://www. usenix.org/conference/hotstorage19/presentation/banakar

    work page 2019

  27. [27]

    In: USENIX HotCloud (2019)

    Shastri, S., Wasserman, M., Chidambaram, V.: The Seven Sins of Personal-Data Processing Systems under GDPR. In: USENIX HotCloud (2019)

    work page 2019

  28. [28]

    In: 17th{USENIX} Conference on File and Storage Technologies ({FAST} 19)

    Sivathanu, M., Vuppalapati, M., Gulavani, B.S., Rajan, K., Leeka, J., Mohan, J., Kedia, P.: Inst- alytics: Cluster /f_ilesystem co-design for big-data analytics. In: 17th{USENIX} Conference on File and Storage Technologies ({FAST} 19). pp. 235–248 (2019)

    work page 2019

  29. [29]

    https://www.snap.com/en-US/privacy/ privacy-policy/ (Accessed May 2019)

    Snapchat privacy policy. https://www.snap.com/en-US/privacy/ privacy-policy/ (Accessed May 2019)

    work page 2019

  30. [30]

    In: 2016{USENIX} Annual Technical Conference ({USENIX}{ATC} 16)

    Tai, A., Wei, M., Freedman, M.J., Abraham, I., Malkhi, D.: Replex: A scalable, highly available multi-index data store. In: 2016{USENIX} Annual Technical Conference ({USENIX}{ATC} 16). pp. 337–350 (2016)

    work page 2016

  31. [31]

    https://twitter.com/swipp_it/ status/1131410732292169728 (Accessed May 2019)

    Twitter - pokemon go information. https://twitter.com/swipp_it/ status/1131410732292169728 (Accessed May 2019)

    work page arXiv 2019

  32. [32]

    https://twitter

    Twitter - requesting user information requires speci/f_ication. https://twitter. com/carljackmiller/status/1117379517394432002 (Accessed May 2019)

    work page arXiv 2019

  33. [33]

    https://twitter.com/carljackmiller/ status/1127525870770577409 (Accessed May 2019)

    Twitter - user information. https://twitter.com/carljackmiller/ status/1127525870770577409 (Accessed May 2019)

    work page arXiv 2019

  34. [34]

    https://privacy.uber.com/policy/ (Accessed May 2019)

    Uber privacy policy. https://privacy.uber.com/policy/ (Accessed May 2019)

    work page 2019