- From: Hosseinzadeh, Arghavan <arghavan.hosseinzadeh@iese.fraunhofer.de>
- Date: Thu, 22 Aug 2024 13:18:48 +0000
- To: Harshvardhan Pandit <me@harshp.com>, "public-odrl@w3.org" <public-odrl@w3.org>
- CC: "Chwalek, Jessica" <jessica.chwalek@iese.fraunhofer.de>, Brandstädter, Robin <robin.brandstaedter@iese.fraunhofer.de>, "Feth, Denis" <denis.feth@iese.fraunhofer.de>
Dear Harsh, First of all thank you for your message. We differentiate „Specification Level Policies“ and “Implementation Level Policies”. We consider ODRL policy language a technology independent language that can be used to specify specification level policies. At this point, some terms may be used in the policy that aren’t defined (e.g., “emergency”). The language allows the usage of such “String” values. These policies are expressive; however, they cannot be enforced technically within the systems. To enforce such policies, we need to define the terms well and use a technology that can understand those terms. At this point, MYDATA Control Technologies can be used. We have defined some right operand values such as “on allow” or “on deny” which aren’t context-specific and one can easily decide whether the access was allowed or not. On the other hand, to handle terms such as “emergency” which can be defined differently by each company, we rather leave it up to our users to use any vocabulary that fits their context to express their policies. For example, one can use DPV vocabulary to specify an ODRL policy when it comes to protect personal data. In addition, users can combine several conditions and refinements to express more details in their policies (e.g., duration). This definitely helps to later enforce the policy. And talking about GDPR, the action odrl:obtainConsent and the left operand odrl:purpose are examples of what ODRL information model already provides for express relevant policies. We have introduced actions such as ods:encrypt or ods:log to extend the language. We will further extend our profile in the future versions to be able to express and enforce more policies that address GDPR. I hope you find my explanation useful. Best regards Arghavan --- Arghavan Hosseinzadeh Senior Security Engineer Dept. Security Engineering Fraunhofer IESE Fraunhofer-Platz 1 | 67663 Kaiserslautern +49 631 6800-2169 arghavan.hosseinzadeh@iese.fraunhofer.de www.iese.fraunhofer.de -----Original Message----- From: Harshvardhan Pandit <me@harshp.com> Sent: Friday, August 16, 2024 9:13 AM To: Hosseinzadeh, Arghavan <arghavan.hosseinzadeh@iese.fraunhofer.de>; public-odrl@w3.org Cc: Chwalek, Jessica <jessica.chwalek@iese.fraunhofer.de>; Brandstädter, Robin <robin.brandstaedter@iese.fraunhofer.de>; Feth, Denis <denis.feth@iese.fraunhofer.de> Subject: Re: ODRL Profile for Data Sovereignty Hi. Thank you for sharing this work. I find it to be of interest. I see the work linked to Mydata and IDSA. And on the mydata-control.de page you mention GDPR. Therefore is it accurate to infer that this profile is also intended to be used for use of personal data? If yes, then how does it relate to requirements such as legal basis (e.g. consent), data transfers, etc.? I went through https://profile.mydata-control.de/ods/#allow-data-usage-on-emergency which seems like an use-case subject to the GDPR, but didn't see such details there. In the examples provided, there are literals used in places such as "emergency" (which is not clearly defined) https://profile.mydata-control.de/ods/#allow-data-usage-on-emergency It would be better to create a concept/class for this so as to express information such as what kind of emergency, its duration, and so on. I think looking at Data Privacy Vocabulary (DPV) https://www.dpvcg.org/ might be helpful for this kind of work. We aim to create a standardised taxonomy that can be used e.g. with ODRL policies to express purposes and different technical measures. Regards, Harsh On 15/08/2024 09:27, Hosseinzadeh, Arghavan wrote: > Dear ODRL Community Group, > > We would like to register our ODRL profile. Here are the needed > details of the profile: > > * Business name of the profile: > o ODRL Profile for Data Sovereignty > * Name and web URL of the party having created and planning to > maintain the profile > o Arghavan Hosseinzadeh, Jessica Chwalek, Robin Brandstädter from > Fraunhofer IESE (https://www.iese.fraunhofer.de/ > <https://www.iese.fraunhofer.de/>) > * Identifier of the profile > o ODS > * URL of the human-readable specification document > o https://profile.mydata-control.de/ods/ > <https://profile.mydata-control.de/ods/> > o https://github.com/Fraunhofer-IESE/ODS/ > <https://github.com/Fraunhofer-IESE/ODS/> > * URL of the OWL Ontology and the name of the used format > o RDF/Turtle: > > https://github.com/Fraunhofer-IESE/ODS/blob/main/ods-profile.ttl?raw=t > rue > <https://github.com/Fraunhofer-IESE/ODS/blob/main/ods-profile.ttl?raw= > true> > > Please, let us know if you need any further information. > > Thank you and best regards > > Arghavan Hosseinzadeh > > --- > > *Arghavan Hosseinzadeh * > > Senior Security Engineer / > /Dept. Security Engineering > > *Fraunhofer IESE * > > Fraunhofer-Platz 1 | 67663 Kaiserslautern > > +49 631 6800-2169 > > _arghavan.hosseinzadeh@iese.fraunhofer.de > <mailto:arghavan.hosseinzadeh@iese.fraunhofer.de>_ > > _www.iese.fraunhofer.de <https://www.iese.fraunhofer.de/>___ > > ---------------------------------------------------------------------- > --- > > ++ Data sovereignty with the help of Data Usage Control ++ > <https://www.iese.fraunhofer.de/en/services/security/cyber-security/us > age_control.html>__ > > ---------------------------------------------------------------------- > --- > -- --- Harshvardhan J. Pandit, Ph.D Assistant Professor ADAPT Centre, Dublin City University https://harshp.com/
Received on Thursday, 22 August 2024 13:19:52 UTC