NL2GDPR: Automatically Develop GDPR Compliant Android Application Features from Natural Language

TL;DR

NL2GDPR is an innovative tool that automatically generates GDPR-compliant privacy policies for Android apps from natural language descriptions, easing compliance challenges for developers with limited resources.

Contribution

It introduces the first automatic GDPR policy generation tool leveraging information extraction and policy generation techniques from natural language descriptions.

Findings

Achieves over 92% accuracy in identifying GDPR policies related to data storage, processing, and sharing.

Utilizes an information extraction model combined with GDPR policy finding and generation modules.

Demonstrates effectiveness in automatically creating privacy policies from developer-provided natural language.

Abstract

The recent privacy leakage incidences and the more strict policy regulations demand a much higher standard of compliance for companies and mobile apps. However, such obligations also impose significant challenges on app developers for complying with these regulations that contain various perspectives, activities, and roles, especially for small companies and developers who are less experienced in this matter or with limited resources. To address these hurdles, we develop an automatic tool, NL2GDPR, which can generate policies from natural language descriptions from the developer while also ensuring the app's functionalities are compliant with General Data Protection Regulation (GDPR). NL2GDPR is developed by leveraging an information extraction tool, OIA (Open Information Annotation), developed by Baidu Cognitive Computing Lab. At the core, NL2GDPR is a privacy-centric information extraction model, appended with a GDPR policy finder and a policy generator. We perform a comprehensive study to grasp the challenges in extracting privacy-centric information and generating privacy policies, while exploiting optimizations for this specific task. With NL2GDPR, we can achieve 92.9%, 95.2%, and 98.4% accuracy in correctly identifying GDPR policies related to personal data storage, process, and share types, respectively. To the best of our knowledge, NL2GDPR is the first tool that allows a developer to automatically generate GDPR compliant policies, with only the need of entering the natural language for describing the app features. Note that other non-GDPR-related features might be integrated with the generated features to build a complex app.