Using ODRL for modeling consent obligations (was Re: Are there any concerns about using ODRL to model Consent?) from Simon Steyskal on 2018-08-17 (public-dpvcg@w3.org from August 2018)

From: Simon Steyskal <simon.steyskal@wu.ac.at>
Date: Fri, 17 Aug 2018 14:19:36 +0200
To: me@harshp.com
Cc: Eva Schlehahn <uld67@datenschutzzentrum.de>, public-dpvcg@w3.org
Message-ID: <87e96cb4627f354e306b4afb13f9a1d5@wu.ac.at>
Hi!

(Chiming in on the ODRL part of the conversation)

> However, to date, I am not aware of any work attempting to model 
> consent using ODRL (that has published their approach).

ODRL allows you to define so-called Privacy policies [1]: "A Policy that 
expresses a Rule over an Asset containing personal information." which 
would contain permissions & prohibitions tied to your PI.
For example, such a policy could in ODRL be expressed like this:

<http://example.com/policy:42>
   a odrl:Privacy ;
   odrl:permission [
     a odrl:Permission ;
     odrl:target ex:asset_9898 ;
     odrl:action odrl:reproduce ;
     odrl:assigner ex:Alice ;
     odrl:assignee ex:Bob ;
     odrl:duty [
       a odrl:Duty ;
       odrl:action odrl:obtainConsent ;
       odrl:output ex:Consent ;
       odrl:consentingParty ex:Alice ;
       odrl:consentedParty ex:Bob ;
     ]
   ] .

Resembling a permission Alice has granted to Bob for reproducing her PI 
(denoted as asset_9898) under the condition that Bob obtains Alice's 
consent.

https://www.w3.org/TR/odrl-vocab/#term-consentingParty - party to obtain 
consent from
https://www.w3.org/TR/odrl-vocab/#term-consentedParty - party who 
obtains the consent
https://www.w3.org/TR/odrl-vocab/#term-obtainConsent -  To obtain 
verifiable consent to perform the requested action in relation to the 
Asset.
https://www.w3.org/TR/odrl-vocab/#term-output - specifies the Asset 
which is created from the output of the Action.

However, ODRL does NOT define:

1) HOW & WHEN consent has to be obtained, i.e., HOW & WHEN fulfillment 
of the duty has to be verified/checked
2) HOW consent has to "look like", i.e., what information ex:Consent has 
to contain

HTH, simon

[1] https://www.w3.org/TR/odrl-vocab/#term-Privacy

---
DDipl.-Ing. Simon Steyskal
Institute for Information Business, WU Vienna

www: http://www.steyskal.info/  twitter: @simonsteys

Am 2018-08-17 09:04, schrieb Eva Schlehahn:
> Hi Harsh,
> 
> knowing the purpose of the processing ahead of time is one of the key
> cornerstones of processing anyway, at least when personal data is
> concerned. You recognized correctly that OWL can help then. Even
> though I have no technology backoground, I got it that this was one of
> the considerations in favor of OWL made in another project I was in.
> So if anyone on this list has experience with ODRL, this would indeed
> be quite useful for a more concrete comparison.
> 
> Greetings from Kiel in northern Germany,
> 
> Eva
> 
> Landesbeauftragte für Datenschutz Schleswig-Holstein
> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1200, Fax -1223
> mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
> Eva Schlehahn, uld67@datenschutzzentrum.de
> 
> Informationen über die Verarbeitung der personenbezogenen Daten durch
> die Landesbeauftragte für Datenschutz und zur verschlüsselten
> E-Mail-Kommunikation: 
> https://datenschutzzentrum.de/datenschutzerklaerung/
> 
> Am 16.08.2018 um 18:52 schrieb Harsh:
>> Ah! Thank you Axel.
>> So the assumption I make from this is that it is possible to use ODRL, 
>> but simpler methods may exist (such as the OWL model). That being 
>> said, the work ahead would then be comparing these, and finding their 
>> strengths and complexities in terms of modeling consent.
>> 
>> This cleared up a lot of things in my mind regarding your (SPECIAL) 
>> choice of using OWL as well. Mainly being that it is specific to the 
>> use-case and works quite well if the purposes (w.r.t consent) are 
>> known ahead of time.
>> 
>> Regards,
>> 
>> Harsh
>> 
>> 
>> On 16/08/18 16:06, Axel Polleres wrote:
>>> </chairhat>
>>> 
>>> Simon might be more into this, we had some work using ODRL for 
>>> modeling various Data access policies [1,2]
>>> The reason for the choice of a simpler OWL taxonomy and fixed 
>>> concepts (rathrer than describing each of these in detail in terms of 
>>> more finr-granular ODRL policies, was AFAIR that the use cases in 
>>> SPECIAL didn't require it and that with this OWL-based approach 
>>> compliance checking can be defined in a relatively straightforward 
>>> manner.
>>> 
>>> 1. Simon Steyskal and Axel Polleres. Towards formal semantics for 
>>> ODRL policies. In /9th International Web Rule Symposium 
>>> (RuleML2015)/, number 9202 in Lecture Notes in Computer Science 
>>> (LNCS), pages 360--375, Berlin, Germany, August 2015. Springer. [ 
>>> .pdf 
>>> <http://www.polleres.net/publications/stey-poll-2015RuleML.pdf> ]
>>> 
>>> 2. Simon Steyskal and Axel Polleres. Defining expressive access 
>>> policies for linked data using the ODRL ontology 2.0. In /Proceedings 
>>> of the SEMANTiCS 2014/, ACM International Conference Proceedings 
>>> Series, Leipzig, Germany, September 2014. ACM. Short paper. [ .pdf 
>>> <http://www.polleres.net/publications/stey-poll-2014SEMANTiCS.pdf> ]
>>> 
>>> -- Prof. Dr. Axel Polleres
>>> Institute for Information Business, WU Vienna
>>> url: http://www.polleres.net/  twitter: @AxelPolleres
>>> 
>>>> On 16.08.2018, at 16:16, Harsh <me@harshp.com 
>>>> <mailto:me@harshp.com>> wrote:
>>>> 
>>>> Hello all,
>>>> 
>>>> I wish to know the community's informed opinions about any concerns 
>>>> for using ODRL to model Consent for GDPR.
>>>> 
>>>> To elaborate:
>>>> 
>>>> Consent can be modeled as the Data Subject providing permissions for 
>>>> purposes or activities for their (specific) personal data. ODRL 
>>>> provides a systematic way to model such permissions and 
>>>> prohibitions.
>>>> 
>>>> However, to date, I am not aware of any work attempting to model 
>>>> consent using ODRL (that has published their approach). There has 
>>>> been use of RDF(S) and OWL [1,2] to model these concepts using terms 
>>>> which ODRL (seemingly) already provides.
>>>> 
>>>> Having not worked with ODRL before, it would be valuable to know the 
>>>> community's thoughts on using what is essentially a rights language 
>>>> to express consent as a legal policy using the vocabulary.
>>>> 
>>>> In terms of DPVCG, this discussion is essentially evaluating an 
>>>> existing ontology (ODRL) for a particular use-case (representation 
>>>> of given consent).
>>>> 
>>>> [1] Sabrina Kirrane, Javier D. Fernández, Wouter Dullaert, Uros 
>>>> Milosevic, Axel Polleres, Piero Bonatti, Rigo Wenning, Olha Drozd 
>>>> and Philip Raschke.*A Scalable Consent, Transparency and Compliance 
>>>> Architecture.* Proceedings of the Posters and Demos Track of the 
>>>> Extended Semantic Web Conference (ESWC 2018)
>>>> 
>>>> [2] Kaniz Fatema, Ensar Hadziselimovic, _Harshvardhan J. Pandit_, 
>>>> Dave Lewis. *Compliance through Informed Consent: Semantic Based 
>>>> Consent Permission and Data Management Model. *Society, Privacy and 
>>>> the Semantic Web - Policy and Technology (PrivOn), co-located with 
>>>> ISWC 2017
>>>> /Society, Privacy and the Semantic Web - Policy and Technology 
>>>> (PrivOn), co-located with ISWC 2017/
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> -- ---
>>>> Harshvardhan Pandit
>>>> PhD Researcher
>>>> ADAPT Centre
>>>> Trinity College Dublin
>>> 
>>
Received on Friday, 17 August 2018 12:20:07 UTC