Towards Cultivating Decentralised Data Privacy, Interoperability and Trust with Semantic PETs and Visualisations

Recent artificial intelligence (AI) advancements in the fields of generative AI and hyper-automation in the Internet of Things (IoT) have turned data into a valuable highly sought-after asset and an economical resource for the ever-growing service digitization. Fields such as smart cities, e-commerce and finance now often integrate AI to improve and optimise online services, which requires large volumes of diverse high-quality data. Most of the data that is generated, related and used by humans for AI in any of these domains can be categorised as personal. The access to it, its processing and sharing for different purposes between different software agents, humans and organisations, if not governed and legally compliant, can jeopardise individuals’ privacy and sovereignty both online and offline. Through the years, several eminent data misuse cases have shown that the current centralised digital data ecosystem is easily exploitable and that there is a lack of transparency and accountability along the data supply chain. Individuals have long ago lost control over their data due to vendor lock-ins and their privacy is often violated. The growing number of fines issued to numerous organisations in response to violating the General Data Protection Regulation (GDPR) by misusing individual’s personal data, further confirm this. A new paradigm shift towards decentralisation of the Web has emerged as a solution. However, implementing data and privacy governance in a decentralised setting poses new technical and organisational challenges that are currently being investigated and a standard solution is yet to be established. Further, there is a lack of tools aimed at assisting and guiding individuals in managing their decentralised data. In this paper, we propose the development of a more human-centered approach for building trusted self-sovereign decentralised spaces for personal data governance based on combining semantics with privacy enhancing technologies (PETs) and the utilisation of graphical visualisations. We present the main building blocks of the proposed approach with the main goal to foster further discussion and collaboration between the Semantic Web, Privacy, Decentralisation, Human-Computer Interaction and Legal communities

Relevant research questions for decentralised (personal) data governance

Protecting and preserving individuals’ personal data is a legal obligation set out by the European Union’s General Data Protection Regulation (GDPR). However, the process of implementing data governance to support that, in a decentralised ecosystem, is still vague. Motivated by the need for lawful decentralised data processing, this paper outlines several relevant questions from legal, privacy and technology standpoints that need to be considered

The smashHitCore Ontology for GDPR-Compliant Sensor Data Sharing in Smart Cities

The adoption of the General Data Protection Regulation (GDPR) has resulted in a significant shift in how the data of European Union citizens is handled. A variety of data sharing challenges in scenarios such as smart cities have arisen, especially when attempting to semantically represent GDPR legal bases, such as consent, contracts and the data types and specific sources related to them. Most of the existing ontologies that model GDPR focus mainly on consent. In order to represent other GDPR bases, such as contracts, multiple ontologies need to be simultaneously reused and combined, which can result in inconsistent and conflicting knowledge representation. To address this challenge, we present the smashHitCore ontology. smashHitCore provides a unified and coherent model for both consent and contracts, as well as the sensor data and data processing associated with them. The ontology was developed in response to real-world sensor data sharing use cases in the insurance and smart city domains. The ontology has been successfully utilised to enable GDPR-complaint data sharing in a connected car for insurance use cases and in a city feedback system as part of a smart city use case

Knowledge graph based hard drive failure prediction

The hard drive is one of the important components of a computing system, and its failure can lead to both system failure and data loss. Therefore, the reliability of a hard drive is very important. Realising this importance, a number of studies have been conducted and many are still ongoing to improve hard drive failure prediction. Most of those studies rely solely on machine learning, and a few others on semantic technology. The studies based on machine learning, despite promising results, lack context-awareness such as how failures are related or what other factors, such as humidity, influence the failure of hard drives. Semantic technology, on the other hand, by means of ontologies and knowledge graphs (KGs), is able to provide the context-awareness that machine learning-based studies lack. However, the studies based on semantic technology lack the advantages of machine learning, such as the ability to learn a pattern and make predictions based on learned patterns. Therefore, in this paper, leveraging the benefits of both machine learning (ML) and semantic technology, we present our study, knowledge graph-based hard drive failure prediction. The experimental results demonstrate that our proposed method achieves higher accuracy in comparison to the current state of the art

Automated GDPR Contract Compliance Verification Using Knowledge Graphs

In the past few years, the main research efforts regarding General Data Protection Regulation (GDPR)-compliant data sharing have been focused primarily on informed consent (one of the six GDPR lawful bases for data processing). In cases such as Business-to-Business (B2B) and Business-to-Consumer (B2C) data sharing, when consent might not be enough, many small and medium enterprises (SMEs) still depend on contracts—a GDPR basis that is often overlooked due to its complexity. The contract’s lifecycle comprises many stages (e.g., drafting, negotiation, and signing) that must be executed in compliance with GDPR. Despite the active research efforts on digital contracts, contract-based GDPR compliance and challenges such as contract interoperability have not been sufficiently elaborated on yet. Since knowledge graphs and ontologies provide interoperability and support knowledge discovery, we propose and develop a knowledge graph-based tool for GDPR contract compliance verification (CCV). It binds GDPR’s legal basis to data sharing contracts. In addition, we conducted a performance evaluation in terms of execution time and test cases to validate CCV’s correctness in determining the overhead and applicability of the proposed tool in smart city and insurance application scenarios. The evaluation results and the correctness of the CCV tool demonstrate the tool’s practicability for deployment in the real world with minimum overhead

Automated GDPR contract compliance verification using knowledge graphs

In the past few years, the main research efforts regarding General Data Protection Regulation (GDPR)-compliant data sharing have been focused primarily on informed consent (one of the six GDPR lawful bases for data processing). In cases such as Business-to-Business (B2B) and Business-to-Consumer (B2C) data sharing, when consent might not be enough, many small and medium enterprises (SMEs) still depend on contracts—a GDPR basis that is often overlooked due to its complexity. The contract’s lifecycle comprises many stages (e.g., drafting, negotiation, and signing) that must be executed in compliance with GDPR. Despite the active research efforts on digital contracts, contract-based GDPR compliance and challenges such as contract interoperability have not been sufficiently elaborated on yet. Since knowledge graphs and ontologies provide interoperability and support knowledge discovery, we propose and develop a knowledge graph-based tool for GDPR contract compliance verification (CCV). It binds GDPR’s legal basis to data sharing contracts. In addition, we conducted a performance evaluation in terms of execution time and test cases to validate CCV’s correctness in determining the overhead and applicability of the proposed tool in smart city and insurance application scenarios. The evaluation results and the correctness of the CCV tool demonstrate the tool’s practicability for deployment in the real world with minimum overhead

Consent through the lens of semantics: state of the art survey and best practices

The acceptance of the GDPR legislation in 2018 started a new technological shift towards achieving transparency. GDPR put focus on the concept of informed consent applicable for data processing, which led to an increase of the responsibilities regarding data sharing for both end users and companies. This paper presents a literature survey of existing solutions that use semantic technology for implementing consent. The main focus is on ontologies, how they are used for consent representation and for consent management in combination with other technologies such as blockchain. We also focus on visualisation solutions aimed at improving individuals’ consent comprehension. Finally, based on the overviewed state of the art we propose best practices for consent implementation

Data protection by design tool for automated GDPR compliance verification based on semantically modeled informed consent

The enforcement of the GDPR in May 2018 has led to a paradigm shift in data protection. Organizations face significant challenges, such as demonstrating compliance (or auditability) and automated compliance verification due to the complex and dynamic nature of consent, as well as the scale at which compliance verification must be performed. Furthermore, the GDPR’s promotion of data protection by design and industrial interoperability requirements has created new technical challenges, as they require significant changes in the design and implementation of systems that handle personal data. We present a scalable data protection by design tool for automated compliance verification and auditability based on informed consent that is modeled with a knowledge graph. Automated compliance verification is made possible by implementing a regulation-to-code process that translates GDPR regulations into well-defined technical and organizational measures and, ultimately, software code. We demonstrate the effectiveness of the tool in the insurance and smart cities domains. We highlight ways in which our tool can be adapted to other domains

Raising Consent Awareness With Gamification and Knowledge Graphs : An Automotive Use Case

Consent is one of GDPR’s lawful bases for data processing and specific requirements for it apply. Consent should be specific, unambiguous and most of all informed. However, an informed consent request does not guarantee having individuals who are aware of what it means to consent and the implications that follow. Consent is often given blindly now, in particular because of information overload from long privacy policies written in legal language and complex interface designs that cause consent fatigue on the users' side. This paper presents a knowledge graph-based user interface for consent solicitation, which uses gamification to raise the legal awareness and ease individual’s comprehension of consent. The knowledge graph models informed consent in a machine-readable format and provides a unified consent model to all entities involved in the data sharing process. The evaluation shows that with the help of gamification, the interface can raise individuals' average legal awareness to 92.86%.Full Text PreviewIntroductionGathering information about one’s behaviour is an important key to improving existing technology as it can provide an insight into behavioural trends (i.e., how and why individuals act in certain situations (Rodríguez et al. (2013), Štreimikienė (2014), Elbayoudi et al. (2016), Fotopoulou et al. (2017)). Such information has proven to be useful for large organisations in sectors such as insurance and online-advertising, who have started the trend of “behavioural targeting” (Jaworska and Sydow (2008); Zuiderveen Borgesius (2016)). Now, more than ever, personal data is being collected, analysed, and shared between multiple entities and, in most cases, the collection happens without one’s consent and knowledge about the implications that follow (Joergensen (2014); Bechmann (2014)).In order to change that, in 2018, the European Parliament and Council of the European Union1 accepted the General Data Protection Regulation (GDPR)2. GDPR has led to a drastic change in how the personal data of European citizens is handled by introducing six lawful bases for the processing of personal data, one amongst which is consent. Consent has a crucial role since no data processing can begin without it. GDPR has set specific requirements for it (Art. 6, 7). Consent should be freely given, unambiguous, explicit, and most of all informed (Rec. 32). In order to have informed consent, a consent request, which is compliant with GDPR, must present information about what data is required, for what purposes, how the data will be processed, by whom, etc. (Art. 7, Rec. 32). However, presenting such information does not guarantee that one will be truly informed (i.e., aware of what it means to consent). There is a need for consent tools that focus on raising individuals’ legal awareness while being compliant with GDPR (McStay (2013)).One of the main means of requesting consent online is via a User Interface (UI) - a prompt window asking one to “Agree” to the presented privacy policy and terms and conditions, which are rarely read and “when they are, they are hard to digest” (McDonald and Cranor (2008); Drozd and Kirrane (2020)). The option to “Not Agree” is also rarely present (Utz et al. (2019); Matte et al. (2020)). Options such as consent revocation are, in many cases, hidden from individuals (i.e., one needs to search and go through several screens to withdraw the given consent). According to Article 7 of GDPR, “it shall be as easy to withdraw as to give consent” thus such consent request UIs are in violation. Giving consent by selecting “Agree” to the presented privacy policy does not imply that individuals are aware of what their actions mean and the implications that follow (Byrne et al 1988). For example, individual’s vehicle sensor data such as fuel and speed can be used by insurance companies to make decisions about the value of the vehicle and for medical payments or personal injury protection coverage in the case of a car accident. Such data could be used to adjust a driver’s insurance premiums upwards or downwards depending on their driving habits, age, and health without the driver realising that this adjustment was based on continuously collected data. In most cases, one gives consent without questioning what is asked and for what purposes (Bechmann (2014); Joergensen (2014)). Bechmann (2014) defines this behaviour as a beginning of a culture of “blind consent”. Humans look for visual cues when presented with content (Clark and Mayer (2016); Brookhaven National Laboratory (2017)). Presenting individuals with long paragraphs of legal text does not ease comprehension (Wszalek (2017); Ericsson (1988); Kurteva and de Ribaupierre (2021)). Instead, it can lead to confusion and information overload (Gross (1965)), which can make one dismiss the process by giving consent without being informed.Continue Readin