A BERT-based Empirical Study of Privacy Policies' Compliance with GDPR
Lu Zhang, Nabil Moukafih, Hamad Alamri, Gregory Epiphaniou, Carsten Maple
TL;DR
The paper tackles automatic GDPR Article 13 compliance checking for privacy policies in 5G CPS contexts using a BERT‑based sentence classifier. It collects privacy policies from about 68–70 5G MNOs, annotates them with GDPR labels, and evaluates both compliance and readability with standard metrics, reporting that roughly half of the companies show strong adherence while readability remains a challenge. Results indicate high adherence for several Article 13 provisions (e.g., data processing purposes, contact details) but lower compliance for rights like data portability and objection to processing, highlighting gaps between policy content and user understanding. The work demonstrates a scalable approach to regulatory compliance verification in privacy policies for 5G networks and underscores the need for clearer, more user‑friendly policy language in CPS ecosystems.
Abstract
Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has prompted businesses to revisit and revise their data handling practices to ensure compliance. The privacy policy, which serves as the primary means of informing users about their privacy rights and the data practices of companies, has been significantly updated by numerous businesses post-GDPR implementation. However, many privacy policies remain packed with technical jargon, lengthy explanations, and vague descriptions of data practices and user rights. This makes it a challenging task for users and regulatory authorities to manually verify the GDPR compliance of these privacy policies. In this study, we aim to address the challenge of compliance analysis between GDPR (Article 13) and privacy policies for 5G networks. We manually collected privacy policies from almost 70 different 5G MNOs, and we utilized an automated BERT-based model for classification. We show that an encouraging 51$\%$ of companies demonstrate a strong adherence to GDPR. In addition, we present the first study that provides current empirical evidence on the readability of privacy policies for 5G network. we adopted readability analysis toolset that incorporates various established readability metrics. The findings empirically show that the readability of the majority of current privacy policies remains a significant challenge. Hence, 5G providers need to invest considerable effort into revising these documents to enhance both their utility and the overall user experience.