Modelling Jurisdiction / Laws as DPV extension

Hello, following today's discussion on modelling Jurisdiction/Location 
and Laws, this is a summary of the final state of proposal as the 
meeting ended. Please send your comments in reply to this to the mailing 

Minutes from today:

1) Expressing location for data storage, controller, data subject, etc.
- We have the Location and hasLocation concept
- <Acme hasLocation Wonderland> means the entity Acme (controller) is 
based in 'Wonderland' as location e.g. for legal purposes.
- Here, Location is a generic concept

2) Expressing Jurisdiction
- Jurisdiction is a Location whose laws are considered applicable, or 
relevant to the use-case/concept. For example, specifying that a 
particular use-case or policy considered EU to be the jurisdiction
- Jurisdiction is a tricky concept since it also relates to where 
entities are based, where laws are passed, what are their territorial 
scopes and so on.
- To avoid getting into the complexities of legal notion of 
jurisdiction, and to support use-cases that just want to indicate some 
location applies as a jurisdiction, we provide the property 

example: < SomePolicy hasApplicableJurisdiction EU >

- This means the policy is to be interpreted in terms of EU 
requirements, which would mean adhering to GDPR amongst other things

3) Expressing a specific Law
- To explicitly state a 'law' such as GDPR is applicable, we provide the 
property `hasApplicableLaw`

example: < SomePolicy hasApplicableLaw GDPR >

- This means the policy is to be interpreted in terms of GDPR. Both 
properties can be expressed to further represent combinations. For 
example, Bavaria (Region in Country Germany) is the applicable 
jurisdiction and that GDPR also applies.

4) Useful collection of countries, laws, etc.
- This information could also have been inferred but requies a KG of 
countries and their regions and their laws. DPV can provide a list of 
countries (including EU) and their laws, DPAs, and adequacy decisions 
using these properties. This would support representing locations and 
jurisdictions for use-cases.
- For example, see: 
as a list of countries, DPAs, and adequacy decisions.

5) Use-case from Georg: A shop has a CCTV whose location has to be 
expressed, with the country also expressed for convenience
- Location can be expressed in many ways, e.g. as address, as 

< ex:Shop dpv:hasLocation ex:LOC >
< ex:LOC a dpv:Location >
< ex:LOC geo:lat "100" >
< ex:LOC geo:long "200" >
< ex:LOC dpv:hasCountry dpv-juris:DE >

- note that the property hasCountry is a specialisation of hasLocation 
since expressing the country explicitly is considered a requirement 
(e.g. relevant for data transfer, data storage).

5) Use-case: Determining if a correct legal basis is applied
- This use-case shows why the jurisdiction/location concepts are useful, 
and how they can be applied to support compliance checks

# Data in dpv-juris.ttl expressing adequacy between EU and Switzerland
dpv-juris:EUAdequacyCH a dpv-gdpr:A45-3 ;
     rdfs:label "EU Adequacy Decision for Switzerland" ;
     dcat:temporal [ a dcat:PeriodOfTime ;
             dcat:startDate "2000-08-25"^^xsd:date ] ;
     dpv:hasCountry dpv-juris:Switzerland .

dpv-juris:GDPR a dpv:Law ;
     dpv:hasApplicableJurisdiction dpv-juris:EU .

# Use-case where data is transferred to Switzerland
ex:Policy a dpv:PersonalDataHandling ;
     dpv:hasApplicableLaw dpv-juris:GDPR ;
     dpv:hasProcessing [
         a dpv:Store ;
         dpv:hasLocation dpv-juris:CH ] .

# using dpv-juris the below can be used to assist the user in selecting 
the appopriate legal basis or to validate it is correct
0) Check applicable law (not needed if it is known GDPR is to be used) 
1) Data Processing Location is within EU? -> No
2) Data Processing Location has Adequacy -> Yes
3) Use dpv-juris:EUAdequacyCH as the legal basis (GDPR A.45-3)

6) Use-case from Julian where data is processed in Bavaria and it is to 
be inferred GDPR (also applies).
- For this, Bavaria as a region of Germany, and Germany as a member of 
EU needs to be represented.
- Proposal is to only have Countries in DPV (extension), and to either 
represent ALL regions in all countries, or not represent them at all.

# Use-Case graph
ex:Bavaria a dpv:Region .
ex:Bavaria dpv:hasCountry dpv-juris:Germany .
ex:P1 a dpv:PersonalDataHandling ;
     # Expressing processing is within Bavaria (Jurisdiction)
     dpv:hasApplicableJurisdiction ex:Bavaria ;
     # Expressing processing is within Bavaria (Location)
     dpv:hasLocation ex:Bavaria .

# DPV-JURIS info
dpv-juris:Germany a dpv:Country ;
     rdfs:label "Germany"^^xsd:string ;
     dpv:hasAuthority dpv-juris:DE-DPA ;
     dpv-juris:isMemberOf dpv-juris:EEA,
         dpv-juris:EU ;
     dpv-juris:iso3166_apha2 "DE"^^xsd:string ;
     dpv-juris:iso3166_apha3 "DEU"^^xsd:string .

# From above
1) Bavarian as location or jurisdiction
2) Retrieve Bavarian Laws if Use-case or KG provides any
3) Bavaria has Germany as Country
4) Retrieve German laws if any
5) Germany is within the EU
6) Retrieve EU laws
7) Identified laws: GDPR, German Law, Bavarian Law

Here steps 4-6 is what is being proposed to be included in a 
Jurisdiction extension (i.e. specify Germany is a country with a DPA, 
its own data protection law, and that it is a member of EU which has 
GDPR as a law).

7) Laws and Topics

Note in above, when expressing Law, the topic of the law is also 
important. So we might want to do something like:

ex:GDPR a dpv:Law ;
   ex:hasApplicationJurisdiction ex:EU ;
   ex:hasTopic ex:Privacy, ex:DataProtection .

The EU's Publication Office has a taxonomy and/or annotation of laws and 
their topics. See subject matter and EUROVOC topics for GDPR here:

Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin

Received on Wednesday, 5 January 2022 15:39:05 UTC