Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications

Abstract

This paper presents a fully automated method to assess the compliance of cross-border personal data transfers in Android applications with the General Data Protection Regulation (GDPR). The method combines dynamic traffic analysis and automated natural language processing of privacy policies to evaluate whether the apps properly disclose data transfers outside the European Union, as required by the GDPR.

The approach was applied to a dataset of 4,593 popular Android apps available in Spain. The results show that 33% of apps transferring personal data internationally failed to disclose this fact in their privacy policies, while 15% presented incomplete or inconsistent information. Only 19% of the apps analyzed were found to fully comply with GDPR transparency requirements.

Key Contributions

• 📱 Analysis of 4,593 Android apps from the Spanish Google Play Store.
• 🌍 Identification of international personal data transfers using dynamic analysis and IP geolocation.
• 📄 NLP-based privacy policy processing to detect GDPR-required disclosures.
• 🔎 Public release of a benchmark dataset (IT-100 Corpus) for research.
• ⚖️ Evidence of widespread non-compliance with GDPR in international transfers, almost half of the apps sending personal data failed to comply with GDPR.

👉 Read the full paper

Recommended citation: D.S. Guamán, D. Rodriguez, J.M. del Alamo, J. Such. "Automated GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Applications." Computers & Security, 130 (2023), 103262. https://doi.org/10.1016/j.cose.2023.103262
Download Paper