- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Wed, 5 Jan 2022 15:38:47 +0000
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hello, following today's discussion on modelling Jurisdiction/Location
and Laws, this is a summary of the final state of proposal as the
meeting ended. Please send your comments in reply to this to the mailing
list.
Minutes from today: https://www.w3.org/2022/01/05-dpvcg-minutes.html
1) Expressing location for data storage, controller, data subject, etc.
- We have the Location and hasLocation concept
- <Acme hasLocation Wonderland> means the entity Acme (controller) is
based in 'Wonderland' as location e.g. for legal purposes.
- Here, Location is a generic concept
2) Expressing Jurisdiction
- Jurisdiction is a Location whose laws are considered applicable, or
relevant to the use-case/concept. For example, specifying that a
particular use-case or policy considered EU to be the jurisdiction
- Jurisdiction is a tricky concept since it also relates to where
entities are based, where laws are passed, what are their territorial
scopes and so on.
- To avoid getting into the complexities of legal notion of
jurisdiction, and to support use-cases that just want to indicate some
location applies as a jurisdiction, we provide the property
`hasApplicableJurisdiction`
example: < SomePolicy hasApplicableJurisdiction EU >
- This means the policy is to be interpreted in terms of EU
requirements, which would mean adhering to GDPR amongst other things
3) Expressing a specific Law
- To explicitly state a 'law' such as GDPR is applicable, we provide the
property `hasApplicableLaw`
example: < SomePolicy hasApplicableLaw GDPR >
- This means the policy is to be interpreted in terms of GDPR. Both
properties can be expressed to further represent combinations. For
example, Bavaria (Region in Country Germany) is the applicable
jurisdiction and that GDPR also applies.
4) Useful collection of countries, laws, etc.
- This information could also have been inferred but requies a KG of
countries and their regions and their laws. DPV can provide a list of
countries (including EU) and their laws, DPAs, and adequacy decisions
using these properties. This would support representing locations and
jurisdictions for use-cases.
- For example, see:
https://github.com/coolharsh55/dpv-x/blob/master/dpv-jurisdictions/juris.ttl
as a list of countries, DPAs, and adequacy decisions.
5) Use-case from Georg: A shop has a CCTV whose location has to be
expressed, with the country also expressed for convenience
- Location can be expressed in many ways, e.g. as address, as
geo-co-orindates.
< ex:Shop dpv:hasLocation ex:LOC >
< ex:LOC a dpv:Location >
< ex:LOC geo:lat "100" >
< ex:LOC geo:long "200" >
< ex:LOC dpv:hasCountry dpv-juris:DE >
- note that the property hasCountry is a specialisation of hasLocation
since expressing the country explicitly is considered a requirement
(e.g. relevant for data transfer, data storage).
5) Use-case: Determining if a correct legal basis is applied
- This use-case shows why the jurisdiction/location concepts are useful,
and how they can be applied to support compliance checks
# Data in dpv-juris.ttl expressing adequacy between EU and Switzerland
dpv-juris:EUAdequacyCH a dpv-gdpr:A45-3 ;
rdfs:label "EU Adequacy Decision for Switzerland" ;
rdfs:seeAlso
"https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518"^^xsd:anyURI
;
dcat:temporal [ a dcat:PeriodOfTime ;
dcat:startDate "2000-08-25"^^xsd:date ] ;
dpv:hasCountry dpv-juris:Switzerland .
dpv-juris:GDPR a dpv:Law ;
dpv:hasApplicableJurisdiction dpv-juris:EU .
# Use-case where data is transferred to Switzerland
ex:Policy a dpv:PersonalDataHandling ;
dpv:hasApplicableLaw dpv-juris:GDPR ;
dpv:hasProcessing [
a dpv:Store ;
dpv:hasLocation dpv-juris:CH ] .
# using dpv-juris the below can be used to assist the user in selecting
the appopriate legal basis or to validate it is correct
0) Check applicable law (not needed if it is known GDPR is to be used)
-> GDPR
1) Data Processing Location is within EU? -> No
2) Data Processing Location has Adequacy -> Yes
3) Use dpv-juris:EUAdequacyCH as the legal basis (GDPR A.45-3)
6) Use-case from Julian where data is processed in Bavaria and it is to
be inferred GDPR (also applies).
- For this, Bavaria as a region of Germany, and Germany as a member of
EU needs to be represented.
- Proposal is to only have Countries in DPV (extension), and to either
represent ALL regions in all countries, or not represent them at all.
# Use-Case graph
ex:Bavaria a dpv:Region .
ex:Bavaria dpv:hasCountry dpv-juris:Germany .
ex:P1 a dpv:PersonalDataHandling ;
# Expressing processing is within Bavaria (Jurisdiction)
dpv:hasApplicableJurisdiction ex:Bavaria ;
# Expressing processing is within Bavaria (Location)
dpv:hasLocation ex:Bavaria .
# DPV-JURIS info
dpv-juris:Germany a dpv:Country ;
rdfs:label "Germany"^^xsd:string ;
dpv:hasAuthority dpv-juris:DE-DPA ;
dpv-juris:isMemberOf dpv-juris:EEA,
dpv-juris:EU ;
dpv-juris:iso3166_apha2 "DE"^^xsd:string ;
dpv-juris:iso3166_apha3 "DEU"^^xsd:string .
# From above
1) Bavarian as location or jurisdiction
2) Retrieve Bavarian Laws if Use-case or KG provides any
3) Bavaria has Germany as Country
4) Retrieve German laws if any
5) Germany is within the EU
6) Retrieve EU laws
7) Identified laws: GDPR, German Law, Bavarian Law
Here steps 4-6 is what is being proposed to be included in a
Jurisdiction extension (i.e. specify Germany is a country with a DPA,
its own data protection law, and that it is a member of EU which has
GDPR as a law).
7) Laws and Topics
Note in above, when expressing Law, the topic of the law is also
important. So we might want to do something like:
ex:GDPR a dpv:Law ;
ex:hasApplicationJurisdiction ex:EU ;
ex:hasTopic ex:Privacy, ex:DataProtection .
The EU's Publication Office has a taxonomy and/or annotation of laws and
their topics. See subject matter and EUROVOC topics for GDPR here:
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32016R0679
Regards,
--
---
Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin
https://harshp.com/
Received on Wednesday, 5 January 2022 15:39:05 UTC