The Lord of Their Data Under the GDPR? : Empowering Users Through Usable Transparency, Intervenability, and Consent

Sammanfattning: The challenges imposed by the ever-growing online data processing make it difficult for people to control their data, which inevitably imperils the privacy of their personal information and making informed decisions. Thus, there is an increasing need for different societal, technological, and legal solutions that empower users to take control of their data. The intervenability rights and the enhanced transparency and consent requirements in the General Data Protection Regulation (GDPR) aim to enable users to gain control of their data. However, these rights and requirements will not be beneficial for users in practice without considering their Human-Computer Interaction (HCI) implications.The objective of this thesis is to propose usable tools and solutions which improve user-centred transparency, intervenability, and consent, thereby empowering users to take control of their data and make informed decisions. To this end, we employ quantitative and qualitative empirical HCI research methods and consider users through the development cycles of the proposed tools and solutions. We investigate how usable ex-post transparency can facilitate intervenability by implementing and testing Transparency-Enhancing Tools (TETs) that run on users' devices. Further, we analyse the effectiveness of engaging users with policy information through different types of interaction techniques on drawing user attention to consent form contents. We extend our investigation to the robustness of varying consent form designs to habituation. Moreover, we study how users perceive our design of adapted consent based on the demands and challenges of the technology at hand.This thesis contributes to bridging the gap between legally compliant and usable tools and techniques that aim to enable users to maintain control of their data, resulting in several artefacts, design guidelines, and empirical contributions. The artefacts comprise prototypes and mockups of usable TETs and consent forms. The guidelines encompass a set of design requirements for ex-post TETs that run based on privacy notifications and recommendations on how to engage users with consent form contents. Finally, the empirical contributions include the analysis of the effectiveness of the proposed means and methods on enabling users to exercise their intervenability rights and provide informed consent.