How Do Brazilian IT Companies Address Ambiguity Resolution in Legal Requirements Specification? - A study focused on data protection laws

Dorgival Netto; Carla Silva; João Araújo; Mayara Santos

doi:10.5753/jbcs.2026.6730

Authors

Dorgival Netto Universidade Federal da Paraíba (UFPB) https://orcid.org/0000-0001-9269-0288
Carla Silva Centro de Informática, Universidade Federal de Pernambuco (UFPE) https://orcid.org/0000-0002-0597-3851
João Araújo NOVA LINCS, Departamento de Informática, FCT, Universidade NOVA de Lisboa (UNL) https://orcid.org/0000-0001-5914-1631
Mayara Santos Centro de Informática, Universidade Federal de Pernambuco (UFPE) https://orcid.org/0009-0009-3071-8770

DOI:

https://doi.org/10.5753/jbcs.2026.6730

Keywords:

Legal Requirements, Ambiguity, Regulatory Requirements, Qualitative study, Data Protection Laws

Abstract

[Context] Software requirements are mainly specified using natural language, which is prone to produce ambiguous specifications. This challenge becomes bigger when dealing with requirements that must comply with regulations, the so-called legal requirements. [Objectives] This work investigates the state of practice to tackle ambiguity of legal requirements. The goal is to identify the factors that help or harm ambiguity resolution of legal requirements in companies that need to comply with data protection laws. [Methods] A qualitative study, based on semi-structured interviews, was performed with twenty-two Brazilian IT professionals, from eighteen companies, to gather their views on how to deal with ambiguity resolution of legal requirements. The interview data were recorded, transcribed, and analyzed using qualitative coding techniques, including open and axial coding. [Results] Findings reveal that ambiguity resolution involves the participation of many actors, including the development team, customer, and specialized support areas (Legal, Ambiguity analysis, or Anonymity Sector), also considering the involvement of experienced team members and domain experts. This study also brings a set of factors that positively or negatively influence the quality of legal requirements specifications. [Conclusion] These positive and negative factors, the practices to elicit and specify legal requirements, as well as, the practices to reduce ambiguity in such requirements, can be used as a guide for companies concerned with data protection laws compliance.

Downloads

Download data is not yet available.

References

Abualhaija, S., Ceci, M., Sannier, N., Bianculli, D., Lannier, S., Siclari, M., Voordeckers, O., and Tosza, S. (2025). LLM-assisted Extraction of Regulatory Requirements: A Case Study on the GDPR. In 2025 IEEE 33rd International Requirements Engineering Conference (RE), pages 142-154. DOI: 10.1109/RE63999.2025.00023.

Akhigbe, O., Amyot, D., and Richards, G. (2019). A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance. Requir. Eng., 24(4):459-481. DOI: 10.1007/s00766-018-0294-1.

Andrade, V., Gomes, R., Reinehr, S., Freitas, C., and Malucelli, A. (2023). Privacy by design and software engineering: a systematic literature review. In Proceedings of the XXI Brazilian Symposium on Software Quality, SBQS '22. Association for Computing Machinery. DOI: 10.1145/3571473.3571480.

Atlassian (2025). Jira software. Available at:[link]. Acesso em: 12 mar. 2025.

Ayala-Rivera, V. and Pasquale, L. (2018). The grace period has ended: An approach to operationalize GDPR requirements. In 26th IEEE Intl. Requirements Engineering Conference, RE 2018, pages 136-146. IEEE Computer Society. DOI: 10.1109/RE.2018.00023.

Baldassarre, M. T., Santa Barletta, V., Caivano, D., and Scalera, M. (2020). Integrating security and privacy in software development. Software Quality Journal, 28(3):987-1018. DOI: 10.1007/s11219-020-09501-6.

Berry, D. M. and Kamsties, E. (2004). Ambiguity in Requirements Specification, pages 7-44. Springer US, Boston, MA. DOI: 10.1007/978-1-4615-0465-8_2.

Berry, D. M., Kamsties, E., Ribeiro, C., and Tjong, S. F. (2025). Detecting Defects in Natural Language Requirements Specifications, pages 117-151. Springer Nature Switzerland, Cham. DOI: 10.1007/978-3-031-73143-3_5.

Bhatia, J., Breaux, T. D., Reidenberg, J. R., and Norton, T. B. (2016). A theory of vagueness and privacy risk perception. In 24th IEEE International Requirements Engineering Conference, RE 2016, pages 26-35. IEEE Computer Society. DOI: 10.1109/RE.2016.20.

Blix, F., Elshekeil, S. A., and Laoyookhong, S. (2017). Data protection by design in systems development: From legal requirements to technical solutions. In 12th Intl. Conference for Internet Technology and Secured Transactions, ICITST 2017, pages 98-103. IEEE. DOI: 10.23919/ICITST.2017.8356355.

Boella, G., Humphreys, L., Muthuri, R., Rossi, P., and van der Torre, L. W. N. (2014). A critical analysis of legal requirements engineering from the perspective of legal practice. In IEEE 7th Intl. Workshop on Requirements Engineering and Law, RELAW 2014, pages 14-21. IEEE Computer Society. DOI: 10.1109/RELAW.2014.6893476.

Brasil (2011). Lei nº 12.527, de 18 de novembro de 2011. Available at:[link].

Brasil (2018). LGPD - lei geral de proteção de dados pessoais. DOI: 10.47385/simpdir.2024.1647.

Canedo, E., Calazans, A., Bandeira, I., Costa, P., and Masson, E. (2022). Guidelines adopted by agile teams in privacy requirements elicitation after the brazilian general data protection law (LGPD) implementation. Requir. Eng., 27(4):545–567. DOI: 10.1007/s00766-022-00391-7.

Canedo, E., Calazans, A., Masson, E., Costa, P., and Lima, F. (2020). Perceptions of ICT practitioners regarding software privacy. Entropy, 22(4):429. DOI: 10.3390/e22040429.

Cerqueira, D., de Mello, R., da Costa, J., and Travassos, G. H. (2025). Experimental evaluation of a checklist-based inspection technique to verify the compliance of software systems with the brazilian general data protection law. Empir Software Eng, 30(5). DOI: 10.1007/s10664-025-10681-7.

Corbin, J. and Strauss, A. (2014). Basics of qualitative research. Thousand Oaks, California, CA. sage.. DOI: 10.2307/3172751.

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requir. Eng., 16(1):3–32. DOI: 10.1007/s00766-010-0115-7.

Dey, I. (1999a). Grounding Grounded Theory: Guidelines for Qualitative Inquiry. Academic Press, San Diego. Book.

Dey, I. (1999b). Qualitative data analysis: A user friendly guide for social scientists. Routledge. DOI: 10.4324/9780203412497.

Ellen Renner Ferrão, S., Ramos Sousa Silva, G., Dias Canedo, E., and Freitas Mendes, F. (2024). Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Information and Software Technology, 168:107396. DOI: 10.1016/j.infsof.2024.107396.

European-Union (2018). GDPR - general data protection regulation. [link].

Franch, X., Palomares, C., and Quer, C. (2020). Industrial practices on requirements reuse: An interview-based study. In Requirements Engineering: Foundation for Software Quality, pages 78-94, Cham. Springer Intl. Publishing. DOI: 10.1007/978-3-030-44429-7_6.

Ghanavati, S., Amyot, D., and Rifaut, A. (2014). Legal goal-oriented requirement language (legal grl) for modeling regulations. In Proceedings of the 6th International Workshop on Modeling in Software Engineering, MiSE 2014, page 1–6. ACM. DOI: 10.1145/2593770.2593780.

Gharib, M., Mylopoulos, J., and Giorgini, P. (2020). Copri-a core ontology for privacy requirements engineering. In International Conference on Research Challenges in Information Science, pages 472-489. Springer. DOI: 10.1007/978-3-030-50316-1_28.

Glaser, B. (1978). Theoretical sensitivity. Advances in the Methodology of Grounded Theory. Book.

Information Commissioner's Office (2025). Information commissioner's office (ico). Available at:[link].

Kempe, E., Massey, A., Seaman, C., Sampath, S., and Semsar, S. (2024). Modeling, analyzing and communicating regulatory ambiguity: An empirical study. MO2RE 2024, page 28–34. Association for Computing Machinery. DOI: 10.1145/3643666.3648576.

Kitchenham, B. A., Pfleeger, S. L., Pickard, L., Jones, P. W., Hoaglin, D. C., Emam, K. E., and Rosenberg, J. (2002). Preliminary guidelines for empirical research in software engineering. IEEE Trans. Software Eng., 28(8):721-734. DOI: 10.1109/TSE.2002.1027796.

Klymenko, O., Kosenkov, O., Meisenbacher, S., Elahidoost, P., Mendez, D., and Matthes, F. (2022). Understanding the implementation of technical measures in the process of data privacy compliance: A qualitative study. In Proc. of the 16th ACM / IEEE Intl. Symposium on Empirical Software Engineering and Measurement, ESEM '22, page 261–271. Association for Computing Machinery. DOI: 10.1145/3544902.3546234.

Kosenkov, O., Elahidoost, P., Gorschek, T., Fischbach, J., Méndez, D., Unterkalmsteiner, M., Fucci, D., and Mohanani, R. (2025). Systematic mapping study on requirements engineering for regulatory compliance of software systems. Inf. Softw. Technol., 178:107622. DOI: 10.1016/J.INFSOF.2024.107622.

Li, Z. S., Werner, C., Ernst, N., and Damian, D. (2022). Towards privacy compliance: A design science study in a small organization. Information and Software Technology, 146:106868. DOI: 10.1016/j.infsof.2022.106868.

López, H. A., Debois, S., Slaats, T., and Hildebrandt, T. T. (2020). Business process compliance using reference models of law. In Fundamental Approaches to Software Engineering, pages 378-399, Cham. Springer International Publishing. DOI: 10.1007/978-3-030-45234-6_19.

Massey, A. K., Rutledge, R., Antón, A. I., and Swire, P. P. (2014). Identifying and classifying ambiguity for regulatory requirements. In IEEE 22nd Intl. Requirements Engineering Conference, RE 2014, pages 83-92. IEEE Computer Society. DOI: 10.1109/RE.2014.6912250.

Massey, A. K., Rutledge, R. L., Antón, A. I., Hemmings, J. D., and Swire, P. P. (2015). A strategy for addressing ambiguity in regulatory requirements. Technical report, Georgia Institute of Technology. Available at:[link].

Netto, D., Peixoto, M. M., and Silva, C. (2019a). Privacy and security in requirements engineering: Results from a systematic literature mapping. In Anais do WER19 - Workshop em Engenharia de Requisitos. Editora PUC-Rio. DOI: 10.29327/1298731.22-5.

Netto, D., Silva, C., and Araújo, J. (2019b). Identifying how the brazilian software industry specifies legal requirements. In Proceedings of the XXXIII Brazilian Symposium on Software Engineering, SBES 2019, pages 181-186. ACM. DOI: 10.1145/3350768.3352730.

Netto, D., Silva, C., Araújo, J., and Santos, M. (2026). Supplementary material. https://dorgivalnetto.github.io/journal2026/. Available at:[link].

Otto, P. N. (2009). Reasonableness meets requirements: Re-gu-la-ting security and privacy in software. DUKE LAW JOURNAL, 59:309-342. Available at:[link].

Otto, P. N. and Antón, A. I. (2007). Addressing legal requirements in requirements engineering. In 15th IEEE Intl. Requirements Engineering Conference, RE 2007, October 15-19th, 2007, New Delhi, India, pages 5-14. IEEE Computer Society. DOI: 10.1109/RE.2007.65.

Pandit, N. R. (1996). The creation of theory: A recent application of the grounded theory method. The qualitative report, 2(4):1-15. DOI: 10.46743/2160-3715/1996.2054.

Peixoto, M., Silva, C., Araújo, J., Gorschek, T., Vasconcelos, A., and Vilela, J. (2022). Evaluating a privacy requirements specification method by using a mixed-method approach: Results and lessons learned. Requir. Eng., 28(2):229–255. DOI: 10.1007/s00766-022-00388-2.

Provalis Research (2024). Qda miner: Qualitative data analysis software. Available at:[link] Accessed: 2026-03-25.

Raj, A., Basit Ur Rahim, M. A., Hussain, S., and Zia, I. (2025). Enhancing software requirements quality: Ambiguity detection and resolution using large language models. In Arabnia, H. R., Deligiannidis, L., Shenavarmasouleh, F., Amirian, S., and Ghareh Mohammadi, F., editors, Computational Science and Computational Intelligence, pages 340-355, Cham. Springer Nature Switzerland. DOI: 10.1007/978-3-031-95127-5_25.

Robson, C. (2002). Real world research: A resource for social scientists and practitioner-researchers. Blackwell Publishing. numb. 2. vol. 2nd. pg. 587. Book.

Runeson, P. and Höst, M. (2009). Guidelines for conducting and reporting case study research in software engineering. Empir Software Eng, 14:131-164. DOI: 10.1007/s10664-008-9102-8.

Runeson, P., Host, M., Rainer, A., and Regnell, B. (2012). Case study research in software engineering: Guidelines and examples. John Wiley & Sons. DOI: 10.1002/9781118181034.

Saraiva, J. and Soares, S. (2023). Privacy and security documents for agile software engineering: An experiment of lgpd inventory adoption. In 2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pages 1-9. DOI: 10.1109/ESEM56168.2023.10304806.

Singhal, A. and Breaux, T. (2025). Legal requirements translation from law. In 2025 IEEE 33rd International Requirements Engineering Conference (RE), pages 205-217. DOI: 10.1109/RE63999.2025.00028.

Sirur, S., Nurse, J. R. C., and Webb, H. (2018). Are we there yet?: Understanding the challenges faced in complying with the general data protection regulation (GDPR). In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, MPS@CCS 2018, pages 88-95. ACM. DOI: 10.1145/3267357.3267368.

Spósito, S. L., Targino, J. F. G., Silva, G. R. S., Peotta, L., Porto, D. d. P., Mendonça, F. L. L., and Canedo, E. D. (2025). A comprehensive review of techniques, methods, processes, frameworks, and tools for privacy requirements. Journal of Internet Services and Applications, 16(1):508–529. DOI: 10.5753/jisa.2025.5252.

Strandberg, P. E. (2019). Ethical interviews in software engineering. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), pages 1-11. DOI: 10.1109/ESEM.2019.8870192.

Swire, P. and Anton, A. (2014). Engineers and lawyers in privacy protection: Can we all just get along? IAPP Privacy Perspectives. Available at:[link].

Tankard, C. (2016). What the GDPR means for businesses. Netw. Secur., 2016(6):5-8. DOI: 10.1016/S1353-4858(16)30056-3.

Tsohou, A., Magkos, E., Mouratidis, H., Chrysoloras, G., Piras, L., Pavlidis, M., Debussche, J., Rotoloni, M., and Gallego-Nicasio Crespo, B. (2020). Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform. Information and Computer Security, 28(4):531-553. DOI: 10.1108/ICS-01-2020-0002.

Vollstedt, M. and Rezat, S. (2019). An Introduction to Grounded Theory with a Special Focus on Axial Coding and the Coding Paradigm, pages 81-100. Springer International Publishing, Cham. DOI: 10.1007/978-3-030-15636-7_4.

Väyrynen, K., Lanamäki, A., Laari-Salmela, S., Iivari, N., and Kinnula, M. (2025). Unpacking the regulatory ambiguity mechanism: Implications for industry-level digital transformation. Information Systems Journal, 35(6):1528-1564. DOI: 10.1111/isj.12595.

Wagner, S., Fernández, D., Felderer, M., Vetrò, A., Kalinowski, M., Wieringa, R., Pfahl, D., Conte, T., Christiansson, M.-T., Greer, D., Lassenius, C., Männistö, T., Nayebi, M., Oivo, M., Penzenstadler, B., Prikladnicki, R., Ruhe, G., Schekelmann, A., Sen, S., Spínola, R., Tuzcu, A., de la Vara, J. L., and Winkler, D. (2019). Status quo in requirements engineering: A theory and a global family of surveys. ACM Trans. Softw. Eng. Methodol., 28(2). DOI: 10.1145/3306607.