Council of Europe: Lin Kyi receives 2024 Stefano Rodotà Award

The Stefano Rodotà Award is offered for original and innovative work in the field of data protection. MPI-SP’s Lin Kyi is the winner of the article category of the competition. 

PhD Candidate Lin Kyi wins prestigious award from the Council of Europe for her article on the deceptive design of General Data Protection Regulation’s Legitimate Interest.

Deceptive designs and users’ perception of “legitimate interest” purposes for data collection

The General Data Protection Regulation introduced in 2018 by the European Union identifies “legitimate interest” as a justification for processing data. However, the ambiguity of the term enables data controllers to deceive users and collect certain data without their explicit consent. An interdisciplinary investigation bridging computer science and law conducted by researchers at the Max Planck Institute for Security and Privacy, Utrecht University, the University of Washington, and the Max Planck Institute for Research on Collective Goods discovered deceptive designs of the privacy notices that appear when a user first opens a website. The researchers discovered that some websites have user interfaces that do not offer the option to object to legitimate interest-based data collection, while others provide little to no explanations as to what legitimate interest really means. In other cases, websites make it extremely difficult for users to opt out by using external links to privacy policies or forcing the user to click through a long list of preselected purposes manually.

In a follow-up study, the team of researchers explored how users perceive legitimate interest purposes. When evaluating the purposes, survey participants correctly recognized that this manner of data collection benefits the service providers and third-party vendors. They expressed feeling comfortable sharing such data for security and debugging purposes and when used by law enforcement for fraud identification. However, users were concerned about their data being employed for unwanted advertising, as well as the possibility of data misuse, privacy infringements and data breaches.

Lin concludes that “the ways legitimate interests are used in practice do not match users’ beliefs about how their data should be used, indicating that user preferences should be taken into account when creating and revising data protection laws and defining industry standards.” This study was conducted by Lin Kyi in collaboration with Sushil Ammanaghatta Shivakumar (MPI-SP), Franziska Roesner (University of Washington), Cristiana Santos (Utrecht University), Frederike Zufall (MPI for Research on Collective Goods) and Asia Biega (MPI-SP).

About the Stefano Rodotà Award

The Stefano Rodotà Award recognizes research projects in the field of data protection that are impressive by their innovation and originality. The prize is awarded in two categories: the best PhD thesis Category and the best article. The winners present their work at the plenary session of the Committee of Convention 108 in Strasbourg.