Legislators and enforcement authorities are increasingly faced with the challenge of ensuring the effectiveness of laws. This is particularly true in the area of technology law, which is characterised by a complex interplay of legal, technical, economic and social factors and an extremely dynamic pace of development. Legislators are therefore confronted with the difficulty of creating a legal framework for these developments that they may only know and foresee to a limited extent. Similarly, authorities are faced with the challenge of ensuring effective implementation of legal requirements in practice.
The consent banner, for example, shows that laws are often only effective to a limited extent: the legislative idea behind the consent banner is that consumers should be able to make an individual decision as to how much privacy they want to exchange for which range of functions on the website they are visiting. In reality, however, consumers click away the vast majority of consent banners without having understood its actual meaning. This is primarily due to the lack of transparency, deceptive design and frequency with which consumers have to give their consent, for example in the form of consent banners.
The underlying reason for such ineffective laws is of a methodological nature: until now, there has been limited knowledge of which methods can be used to empirically prove and ensure a more effective design of consent banners or, more generally, a more effective design of laws and their effective implementation. With our interdisciplinary methods in the field of legal design, we are making an important contribution to closing this knowledge gap. We do this in particular by developing working prototypes for legal-technical solutions, such as consent banners and consent agents, and validating their effectiveness empirically with qualitative studies (for hypothesis creation) and quantitative studies (for verifying them). In particular, by comparing different solutions in quantitative A/B tests, we are able to determine which solution is more effective than others and, thus, which solution represents the so-called state of the art (which Art. 25 sect. 1 GDPR requires data controllers, such as website providers, to take into account).
Through our human-centred multi-stakeholder processes, we ensure that we take into account the interests of all affected stakeholders, in particular, consumers, businesses, and regulators, and not the one-sided interests of individual groups. As these are continuously iterative design and validation processes, we endeavour to constantly improve the state of the art and to stimulate a positive development dynamic on the market towards ever more effective legislation. In this way, we aim to help realise the full potential of data-driven innovation for the benefit of real-live European values.
Paul Grassl, Nina Gerber, Max von Grafenstein (2024). How Effectively Do Consent Notices Inform Users About the Risks to Their Fundamental Rights? EDPL 1/2024.
Grafenstein, M. v., Kiefaber, I., Heumüller, J., Rupp, V., Graßl, P., Kolless, O., & Puzst, Z. (2024). Privacy icons as a component of effective transparency and controls under the GDPR: effective data protection by design based on art. 25 GDPR. Computer Law & Security Review, Volume 52.
Grafenstein, M. v., Jakobi, T., & Stevens, G. (2021). Effective data protection by design through interdisciplinary research methods: The example of effective purpose specification by applying user-Centred UX-design methods. Computer Law & Security Review.
Grafenstein, M. v. (2019). Co-Regulation and the Competitive Advantage in the GDPR: Data protection certification mechanisms, codes of conduct and the “state of the art” of data protection-by-design. In González-Fuster, G., van Brakel, R., & P. De Hert, Research Handbook on Privacy and Data Protection Law. Values, Norms and Global Politics, Edward Elgar Publishing, 1st Ed.. Cheltenham: Edward Elgar Publishing.
Coming soon:
Grassl, P., Gerber, N., Grafenstein, M. v. (upcoming). How to More Effectively Inform Users About the Risks to Their Fundamental Rights? (study design and data collection accomplished, data analysis ongoing)
Gerber, N., Grassl, P., Grafenstein, M. v. (upcoming). How do Consent Agents Affect the Consent Behaviour of Users? (study design accomplished, data collection in preparation)
Grafenstein, M. v., Smieskol P., Jakobi, T. (upcoming). From Consent to Control by Closing the Feedback Loop: Enabling data subjects to directly compare personalised and non-personalised content through an On/Off toggle (submitted)