Re: ODRL Profile for Data Sovereignty from Harshvardhan J. Pandit on 2024-08-22 (public-odrl@w3.org from August 2024)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Thu, 22 Aug 2024 17:52:03 +0100
To: "Hosseinzadeh, Arghavan" <arghavan.hosseinzadeh@iese.fraunhofer.de>, "public-odrl@w3.org" <public-odrl@w3.org>
Cc: "Chwalek, Jessica" <jessica.chwalek@iese.fraunhofer.de>, Brandstädter, Robin <robin.brandstaedter@iese.fraunhofer.de>, "Feth, Denis" <denis.feth@iese.fraunhofer.de>
Message-ID: <7440a08c-8e0f-4151-b5e7-65bb6d97dbc3@harshp.com>
Hi Arghavan.
Thank you for the descriptive answer - it helped me understand your 
use-case.

My point in mentioning DPV is that without a similar effort each 
use-case/company/adopter would need to create such strings and concepts 
in their internal namespaces or as strings. This is not good for 
interoperability. Instead, if you represent the concepts using a common 
vocabulary such as DPV, e.g. by making dpv:EmergencyPurpose a concept 
that the use-cases can then _extend_ for their needs - it communicates 
clearly that the purpose is an emergency and leaves room for contextual 
adoption.

Similarly, 'verbs' like encrypt etc. also should be a part of common 
vocabulary if they are expected to be interoperable - and DPV provides 
define some 6000+ concepts to represent a lot of information so that 
use-cases such as this don't have to create and maintain the vocabulary 
themselves.

Regards,
Harsh

On 22/08/2024 14:18, Hosseinzadeh, Arghavan wrote:
> Dear Harsh,
> 
> First of all thank you for your message.
> 
> We differentiate „Specification Level Policies“ and “Implementation Level Policies”. We consider ODRL policy language a technology independent language that can be used to specify specification level policies. At this point, some terms may be used in the policy that aren’t defined (e.g., “emergency”). The language allows the usage of such “String” values. These policies are expressive; however, they cannot be enforced technically within the systems. To enforce such policies, we need to define the terms well and use a technology that can understand those terms. At this point, MYDATA Control Technologies can be used.
> 
> We have defined some right operand values such as “on allow” or “on deny” which aren’t context-specific and one can easily decide whether the access was allowed or not. On the other hand, to handle terms such as “emergency” which can be defined differently by each company, we rather leave it up to our users to use any vocabulary that fits their context to express their policies. For example, one can use DPV vocabulary to specify an ODRL policy when it comes to protect personal data. In addition, users can combine several conditions and refinements to express more details in their policies (e.g., duration). This definitely helps to later enforce the policy.
> 
> And talking about GDPR, the action odrl:obtainConsent and the left operand odrl:purpose are examples of what ODRL information model already provides for express relevant policies. We have introduced actions such as ods:encrypt or ods:log to extend the language. We will further extend our profile in the future versions to be able to express and enforce more policies that address GDPR.
> 
> I hope you find my explanation useful.
> 
> Best regards
> Arghavan
> 
> 
> ---
> Arghavan Hosseinzadeh
> Senior Security Engineer
> Dept. Security Engineering
> 
> Fraunhofer IESE
> Fraunhofer-Platz 1 | 67663 Kaiserslautern
> +49 631 6800-2169
> arghavan.hosseinzadeh@iese.fraunhofer.de
> www.iese.fraunhofer.de
> 
> 
> 
> -----Original Message-----
> From: Harshvardhan Pandit <me@harshp.com>
> Sent: Friday, August 16, 2024 9:13 AM
> To: Hosseinzadeh, Arghavan <arghavan.hosseinzadeh@iese.fraunhofer.de>; public-odrl@w3.org
> Cc: Chwalek, Jessica <jessica.chwalek@iese.fraunhofer.de>; Brandstädter, Robin <robin.brandstaedter@iese.fraunhofer.de>; Feth, Denis <denis.feth@iese.fraunhofer.de>
> Subject: Re: ODRL Profile for Data Sovereignty
> 
> Hi.
> Thank you for sharing this work. I find it to be of interest.
> 
> I see the work linked to Mydata and IDSA. And on the mydata-control.de page you mention GDPR. Therefore is it accurate to infer that this profile is also intended to be used for use of personal data? If yes, then how does it relate to requirements such as legal basis (e.g.
> consent), data transfers, etc.? I went through https://profile.mydata-control.de/ods/#allow-data-usage-on-emergency
> which seems like an use-case subject to the GDPR, but didn't see such details there.
> 
> In the examples provided, there are literals used in places such as "emergency" (which is not clearly defined) https://profile.mydata-control.de/ods/#allow-data-usage-on-emergency It would be better to create a concept/class for this so as to express information such as what kind of emergency, its duration, and so on.
> 
> I think looking at Data Privacy Vocabulary (DPV) https://www.dpvcg.org/ might be helpful for this kind of work. We aim to create a standardised taxonomy that can be used e.g. with ODRL policies to express purposes and different technical measures.
> 
> Regards,
> Harsh
> 
> On 15/08/2024 09:27, Hosseinzadeh, Arghavan wrote:
>> Dear ODRL Community Group,
>>
>> We would like to register our ODRL profile. Here are the needed
>> details of the profile:
>>
>>    * Business name of the profile:
>>        o ODRL Profile for Data Sovereignty
>>    * Name and web URL of the party having created and planning to
>>      maintain the profile
>>        o Arghavan Hosseinzadeh, Jessica Chwalek, Robin Brandstädter from
>>          Fraunhofer IESE (https://www.iese.fraunhofer.de/
>>          <https://www.iese.fraunhofer.de/>)
>>    * Identifier of the profile
>>        o ODS
>>    * URL of the human-readable specification document
>>        o https://profile.mydata-control.de/ods/
>>          <https://profile.mydata-control.de/ods/>
>>        o https://github.com/Fraunhofer-IESE/ODS/
>>          <https://github.com/Fraunhofer-IESE/ODS/>
>>    * URL of the OWL Ontology and the name of the used format
>>        o RDF/Turtle:
>>          
>> https://github.com/Fraunhofer-IESE/ODS/blob/main/ods-profile.ttl?raw=t
>> rue
>> <https://github.com/Fraunhofer-IESE/ODS/blob/main/ods-profile.ttl?raw=
>> true>
>>
>> Please, let us know if you need any further information.
>>
>> Thank you and best regards
>>
>> Arghavan Hosseinzadeh
>>
>> ---
>>
>> *Arghavan Hosseinzadeh *
>>
>> Senior Security Engineer /
>> /Dept. Security Engineering
>>
>> *Fraunhofer IESE *
>>
>> Fraunhofer-Platz 1 | 67663 Kaiserslautern
>>
>> +49 631 6800-2169
>>
>> _arghavan.hosseinzadeh@iese.fraunhofer.de
>> <mailto:arghavan.hosseinzadeh@iese.fraunhofer.de>_
>>
>> _www.iese.fraunhofer.de <https://www.iese.fraunhofer.de/>___
>>
>> ----------------------------------------------------------------------
>> ---
>>
>> ++ Data sovereignty with the help of Data Usage Control ++
>> <https://www.iese.fraunhofer.de/en/services/security/cyber-security/us
>> age_control.html>__
>>
>> ----------------------------------------------------------------------
>> ---
>>
> 
> --
> ---
> Harshvardhan J. Pandit, Ph.D
> Assistant Professor
> ADAPT Centre, Dublin City University
> https://harshp.com/

-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Thursday, 22 August 2024 16:52:10 UTC