1 Automating Accountability? Privacy Policies, Data Transparency, and the Third Party Problem 1 David Lie, Department of Electrical and Computer Engineering, University of Toronto Lisa M. Austin, Faculty of Law, University of Toronto Peter Yi Ping Sun, Bloomberg 2 Wenjun Qiu, Department of Electrical and Computer Engineering, University of Toronto 1 Introduction We have a data transparency problem. Currently one of the main mechanisms we have to understand data flows is through the self-reporting that organizations provide through privacy policies. However, it is notoriously difficult for individual consumers to read these policies and understand how their data is collected and used by the many organizations with whom they directly interact in our digitally mediated world. This problem is becoming more acute with the increasing complexity of the data ecosystem and the role of “third parties” -- the affiliates, partners, processors, ad agencies, analytic services, and data brokers involved in the contemporary data practices of organizations. 3 These third party relationships were at the heart of the recent Cambridge Analytica scandal and are central to concerns about the surveillance capabilities of mobile devices. There are many proposals to improve the usability of privacy policies, and transparency practices more generally, in relation to their role in enabling meaningful consumer consent. 4 There are also important questions regarding whether privacy is best protected through such “self-management” paradigms. 5 However, privacy policies disclose details of data flows and legal authority for processing that go beyond the question of consent obligations and raise the more general issue of accountability. Data transparency is important for ensuring accountability in data practices generally; without meaningful accountability we can have strong laws on the 1 Our AppTrans project was funded by the Office of the Privacy Commissioner of Canada through their Contributions Program. We would also like to thank Robin Spillette, Mariana D’Angelo, and Michelle Wong for their excellent research assistance and input into the AppTrans project. 2 The research Peter Sun performed for this paper was while he was a graduate student at the University of Toronto. 3 The distinctions between these can all be important in relation to some legal obligations but for the purposes of this paper we refer to them all as “third parties”. This is broader than how the term “third party” is defined in the GDPR, for example, and is more similar to how the GDPR defines “recipient”: See GDPR, infra note 9, art. 4. However, for much of this paper we are concerned with the practices of entities who would be considered third parties under the GDPR as well. 4 See s. 2 of this paper, below. 5 See, eg, Daniel J Solove, Privacy Self-Management and the Consent Dilemma, (2013) 126 Harv L Rev 1879.