TL;DR!

EU and German privacy laws changed and many companies have to rewrite their privacy policies. I built a tool to help non-technical users to do just that.

• Find the tool here
• Find the privacy policy snippets here

Please contribute if you can!

What happend?

2020 is over and has been an exceptional year in every regard. Besides the world being ravaged by a highly transmissive virus for the last 12 months, the European Court of Justice (CJEU) also decided it was time to invalidate the Privacy Shield EU-US Privacy Shield which regulated "[..] transatlantic exchanges of personal data for commercial purposes between the European Union and the United States."¹.

The CJEU reasoned that the EU-US Privacy Shield did not provide adaquate protections of EU citizens personal data. Although an alternative exists in the so called standard contractual clauses (SCCs), those are only really applicable where the Charter of Fundamental Rights of the EU and the data importing country match.

In addition the CJEU's above ruling, the German Federal Court of Justic also ruled that users have to actively opt-in to being tracked through web analytics and having the respective cookies set in their browser.

Why does this even concern you?

Since summer of 2020 I have taken over the responsibility of data security officer at my current German employer, which means I am responsible for hundreds of thousands of data sets of personal data being persisted and transferred around the globe. One of my tasks is to keep track of legal developments which might affect how my employer has to deal with said data. It would be an understatement to say that the rulings outlined above have changed a lot of things.

You see, part of our web application business is to provide a matching privacy policy for each of our applications. The content of this privacy policy of course has to reflect any features of the web app which would impact a visiting user's privacy rights. Given the (limited) influence of our customers on How and Why users are tracked, there is a myriad of possible combinations of privacy policy snippets to form a valid policy.

Cut the chase already! What did you build?

To solve the problem generating a valid privacy policy out of all possible options whilst also providing an easy to understand user experience and exporting a reusable piece of HTML for easy implementation into any website or web app, I decided to spend a few weekends on building a privacy policy generator app.

Here is my initial draft of the app:

Tech-Stack

React is still my go-to solution to quickly convert ideas into code. So ironically Facebook's library forms the basis of my application's frontend.

I wanted to keep the backend as simple as possible, which is why there is no backend. Well, that is, I am using my public Bitbucket repository as data storage for the privacy policy snippets!

Given the ever-changing tech and legal landscape it will be hard to keep the policy snippets up to date on my own. So the idea behind using a code repository as data storgage was, that this way anyone can do pull requests and either modify existing snippets or even add completely new snippets. I made an initial effort to include snippets for the most popular web services like Google Analytics, Google Fonts, etracker, etc.

All snippets are writing in Markdown so they are human readable even without a great deal of technical knowledge. This way the hurdle is hopefully enough to give non-technical people a way to skim the texts and give their feedback!

The Markdown texts are imported as raw data and then rendered to the DOM via the react-markdown package. Once a user is satisfied with the selection of snippets and has finalized the form entry it is time to compile the preview into an HTML document which can be used on the user's website and (web) application.

• Find the tool here
• Find the privacy policy snippets here

Please contribute if you can!