Related papers: Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

URL: http://arxiv.org/abs/2503.07172v1
Date: Mon, 10 Mar 2025 10:49:34 GMT
Title: Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems
Authors: L. Thomas van Binsbergen, Marten C. Steketee, Milen G. Kebede, Heleen L. Janssen, Tom M. van Engers,
Abstract summary: This paper proposes a case-generic method for automated normative reasoning that establishes legal arguments for the lawfulness of data processing activities.<n>The arguments are established on the basis of case-specific legal qualifications made by privacy experts, bringing the human in the loop.<n>The resulting system is designed and critically assessed in reference to requirements extracted from the GPDR.
Score: 0.0
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Compliance with the GDPR privacy regulation places a significant burden on organisations regarding the handling of personal data. The perceived efforts and risks of complying with the GDPR further increase when data processing activities span across organisational boundaries, as is the case in both small-scale data sharing settings and in large-scale international data spaces. This paper addresses these concerns by proposing a case-generic method for automated normative reasoning that establishes legal arguments for the lawfulness of data processing activities. The arguments are established on the basis of case-specific legal qualifications made by privacy experts, bringing the human in the loop. The obtained expert system promotes transparency and accountability, remains adaptable to extended or altered interpretations of the GDPR, and integrates into novel or existing distributed data processing systems. This result is achieved by defining a formal ontology and semantics for automated normative reasoning based on an analysis of the purpose-limitation principle of the GDPR. The ontology and semantics are implemented in eFLINT, a domain-specific language for specifying and reasoning with norms. The XACML architecture standard, applicable to both access and usage control, is extended, demonstrating how GDPR-based normative reasoning can integrate into (existing, distributed) systems for data processing. The resulting system is designed and critically assessed in reference to requirements extracted from the GPDR.

Related papers

Modelling Privacy Compliance in Cross-border Data Transfers with Bigraphs [0.0]
We propose a privacy framework based on Milner's Bigraphical Reactive Systems. We demonstrate the framework's applicability by modelling WhatsApp's privacy policies.
arXiv Detail & Related papers (2025-03-26T11:50:55Z)
RIRAG: Regulatory Information Retrieval and Answer Generation [51.998738311700095]
We introduce a task of generating question-passages pairs, where questions are automatically created and paired with relevant regulatory passages.<n>We create the ObliQA dataset, containing 27,869 questions derived from the collection of Abu Dhabi Global Markets (ADGM) financial regulation documents.<n>We design a baseline Regulatory Information Retrieval and Answer Generation (RIRAG) system and evaluate it with RePASs, a novel evaluation metric.
arXiv Detail & Related papers (2024-09-09T14:44:19Z)
Modelling Technique for GDPR-compliance: Toward a Comprehensive Solution [0.0]
New data protection legislation in the EU/UK has come into force. Existing threat modelling techniques are not designed to model compliance. We propose a new data flow integrated with principles of knowledge base for non-compliance threats.
arXiv Detail & Related papers (2024-04-22T08:41:43Z)
Towards an Enforceable GDPR Specification [49.1574468325115]
Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's. One emerging technique to realize PbD is enforcement (RE) We present a set of requirements and an iterative methodology for creating formal specifications of legal provisions.
arXiv Detail & Related papers (2024-02-27T09:38:51Z)
Legal Requirements Analysis [2.3349787245442966]
We explore a variety of methods for analyzing legal requirements and exemplify them on representations. We describe possible alternatives for creating machine-analyzable representations from regulations.
arXiv Detail & Related papers (2023-11-23T09:31:57Z)
Relational Action Bases: Formalization, Effective Safety Verification, and Invariants (Extended Version) [67.99023219822564]
We introduce the general framework of relational action bases (RABs) RABs generalize existing models by lifting both restrictions. We demonstrate the effectiveness of this approach on a benchmark of data-aware business processes.
arXiv Detail & Related papers (2022-08-12T17:03:50Z)
Distributed Machine Learning and the Semblance of Trust [66.1227776348216]
Federated Learning (FL) allows the data owner to maintain data governance and perform model training locally without having to share their data. FL and related techniques are often described as privacy-preserving. We explain why this term is not appropriate and outline the risks associated with over-reliance on protocols that were not designed with formal definitions of privacy in mind.
arXiv Detail & Related papers (2021-12-21T08:44:05Z)
Learning to Limit Data Collection via Scaling Laws: Data Minimization Compliance in Practice [62.44110411199835]
We build on literature in machine learning law to propose framework for limiting collection based on data interpretation that ties data to system performance. We formalize a data minimization criterion based on performance curve derivatives and provide an effective and interpretable piecewise power law technique.
arXiv Detail & Related papers (2021-07-16T19:59:01Z)
Reviving Purpose Limitation and Data Minimisation in Personalisation, Profiling and Decision-Making Systems [0.0]
This paper determines, through an interdisciplinary law and computer science lens, whether data minimisation and purpose limitation can be meaningfully implemented in data-driven systems. Our analysis reveals that the two legal principles continue to play an important role in mitigating the risks of personal data processing. We highlight that even though these principles are important safeguards in the systems under consideration, there are important limits to their practical implementation.
arXiv Detail & Related papers (2021-01-15T16:36:29Z)
Towards a Semantic Model of the GDPR Register of Processing Activities [0.3441021278275805]
We present a consolidated data model based on common concepts and relationships across analysed templates. We show that the DPV currently does not provide sufficient concepts to represent the ROPA data model. This will enable creation of a pan-EU information management framework for interoperability between organisations and regulators for compliance.
arXiv Detail & Related papers (2020-08-03T13:54:47Z)
Operationalizing the Legal Principle of Data Minimization for Personalization [64.0027026050706]
We identify a lack of a homogeneous interpretation of the data minimization principle and explore two operational definitions applicable in the context of personalization. We find that the performance decrease incurred by data minimization might not be substantial, but it might disparately impact different users.
arXiv Detail & Related papers (2020-05-28T00:43:06Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.