- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 18 Mar 2020 09:23:05 +0100
- To: "Harshvardhan J. Pandit" <me@harshp.com>
- Cc: semantic-web <semantic-web@w3.org>, Nataliia Bielova <nataliia.bielova@inria.fr>, rigo@w3.org, Prof Mireille Hildebrandt <m.hildebrandt@cs.ru.nl>
> On 17 Mar 2020, at 23:16, Harshvardhan J. Pandit <me@harshp.com> wrote: > > Hi Henry, everyone. > I'm replying specifically for #12 regarding GDPR policies. > > On 17/03/2020 13:02, Henry Story wrote: >> 12. Machine Readable GDPR Policies >> >> The following blog post details in a couple of paragraphs each of >> these points with illustrations and links where helpful >> https://medium.com/@bblfish/use-cases-for-the-web-of-nations-361c24d5eaee > > What you are describing in your post > (https://medium.com/@bblfish/use-cases-for-the-web-of-nations-361c24d5eaee#e21a) > is essentially what P3P (https://www.w3.org/P3P/) was supposed to be in spirit. > > > The largest challenge to having machine-readable privacy policies is (IMHO): > > (1) the lack of a legal impetus or requirement to provide them as such. > Even when a law, such as the GDPR, requires some specific information to be included, > organisations routines do not provide such information. > > (2) lack of structured machine-readable metadata to specify information to be > presented in a privacy policy. P3P was an effort in this direction. > I have been involved in a related effort called the Data Privacy Vocabulary (DPV) > http://w3.org/ns/dpv > which can be applied in the context of specifying privacy policy metadata. > To date, AFAIK, there isn't a 'complete' solution for specifying the entirety > of privacy policy in the form of machine-readable metadata. > > (3) even where the onus of providing metadata is on the organisation, the onus of > developing tools/solutions to interpret the metadata (even if for viewing/display) > falls on the society at large - and currently I think only academia is looking at > this solution from a research project POV. > Current focus is mostly related to abstract categorisation of privacy policy > (see UsablePrivacy https://explore.usableprivacy.org/ ; Polisis https://pribot.org/polisis) > and/or on consent, and using that to display visualisation, graphs, analysis of > privacy policy and consent information. > However, a privacy policy is supposed to contain information other than those > currently captured/represented, such as other legal bases/justifications, > applicable laws/jurisdictions, rights, etc. > There is ongoing work, (e.g. see Polisis above and CLAUDETTE http://www.claudette.eu/gdpr/) > given GDPR's obligations on inclusion of certain data, > but again - this is a social/community effort with diverging approaches and a marked > lack of open data regarding privacy policy metadata or ontology which everyone can > use, adopt, and build upon to provide the solution you allude to in your post. Dear Harshvardhan, thanks for the very detailed summary of previous work on machine readable privacy policies. In an personal e-mail conversation with Natalia Bielova [1] in November last year, she also pointed to the work on P3P, asking rhetorically why it would stand a better chance now. The difference I guess is that now law is on the side of those producing a machine readable privacy policy, where it was not in 2002 when P3P was standardized. This of course was brought about by a huge change of consciousness. Indeed at the time (1999) Scott McNeally head of Sun Microsystems could say ”Privacy is Dead. Get Over it!” [2], facebook did not exist, Snowden had not made his revelations, … So we were also living in a completely different world. We should not discount 20 years of intervening research, as well as work on standardization in the semantic web, experience deploying linked data, … In addition to the work you mentioned above Rigo Wenning on Twitter pointed me last week to the EU work https://www.specialprivacy.eu/ There are also good books now to help Computer Scientists understand how the Law works, such as Mireille Hildebrandt ”Law For Computer Scientists” available online that has a chapter on Privacy Law https://lawforcomputerscientists.pubpub.org/ Her group Cohubicol https://www.cohubicol.com/ is also working in the area of privacy policies. The point I was trying to making in the ”Use Cases for the Web of Nations” is complementary to the work on machine readable privacy policies. The point can be put like this: assume that we did have a working successor to P3P, that had the support of nations which legally required these to be supported by browsers, as seat belts are required to be installed into cars. Then for those policies to be meaningful we would still need to know what legal space the owner of the web site was bound to. For if the web site was bound by no law then the legal status of their P3P-like policy would be unclear and the browser would need to make this visible to the user. The privacy policy work therefore presupposes a Web of Nations. Since building the latter will also take time, one should start with it now, so that both can come to fruition together. The Web of Nations is the minimum needed to allow the Web that is a topological space to be tied to the legal space which has always been territorial. See the twitter thread: https://twitter.com/bblfish/status/1234197224571179009 Many thanks for your very helpful input, that has reminded me of these references. I will update the blog post to point to this thread. Henry Story [1] http://www-sop.inria.fr/members/Nataliia.Bielova/ [2] https://www.wired.com/1999/01/sun-on-privacy-get-over-it/ > > Regards, > -- > --- > Harshvardhan Pandit > PhD Researcher > ADAPT Centre > Trinity College Dublin >
Received on Wednesday, 18 March 2020 08:23:29 UTC