Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

📅 2025-03-10
📈 Citations: 0
Influential: 0
📄 PDF

career value

226K/year
🤖 AI Summary
This paper addresses the challenges of GDPR compliance, ambiguous accountability, and high manual auditing costs in cross-organizational distributed data processing. Methodologically, it introduces the first automated compliance framework integrating legal expert judgment with formal reasoning: (i) a purpose-limitation–driven GDPR ontology and semantic model; (ii) a novel deep extension of eFLINT and XACML to support legally precise policy modeling and verifiable enforcement; and (iii) an automated normative reasoning engine that generates auditable legality justifications. Contributions include: transparent and accountable data access control; empirical validation across multiple distributed data space prototypes demonstrating completeness of legal argumentation, accuracy of policy enforcement, and seamless system integrability; and significant reduction in organizational compliance overhead and legal risk.

Technology Category

Application Category

📝 Abstract
Compliance with the GDPR privacy regulation places a significant burden on organisations regarding the handling of personal data. The perceived efforts and risks of complying with the GDPR further increase when data processing activities span across organisational boundaries, as is the case in both small-scale data sharing settings and in large-scale international data spaces. This paper addresses these concerns by proposing a case-generic method for automated normative reasoning that establishes legal arguments for the lawfulness of data processing activities. The arguments are established on the basis of case-specific legal qualifications made by privacy experts, bringing the human in the loop. The obtained expert system promotes transparency and accountability, remains adaptable to extended or altered interpretations of the GDPR, and integrates into novel or existing distributed data processing systems. This result is achieved by defining a formal ontology and semantics for automated normative reasoning based on an analysis of the purpose-limitation principle of the GDPR. The ontology and semantics are implemented in eFLINT, a domain-specific language for specifying and reasoning with norms. The XACML architecture standard, applicable to both access and usage control, is extended, demonstrating how GDPR-based normative reasoning can integrate into (existing, distributed) systems for data processing. The resulting system is designed and critically assessed in reference to requirements extracted from the GPDR.
Problem

Research questions and friction points this paper is trying to address.

Automated normative reasoning for GDPR compliance in data processing.
Integration of GDPR-based access and usage control in distributed systems.
Formal ontology and semantics for lawful and accountable data handling.
Innovation

Methods, ideas, or system contributions that make the work stand out.

Automated normative reasoning for GDPR compliance
Formal ontology and semantics in eFLINT
Extended XACML for GDPR-based access control
🔎 Similar Papers
No similar papers found.
L. Thomas van Binsbergen
L. Thomas van Binsbergen
University of Amsterdam
Software Language EngineeringFormal MethodsMulti-Agent SystemsNormative Reasoning
M
Marten C. Steketee
Informatics Institute, University of Amsterdam, Amsterdam, The Netherlands.
M
Milen G. Kebede
Informatics Institute, University of Amsterdam, Amsterdam, The Netherlands.
H
Heleen L. Janssen
Institute for Information Law, University of Amsterdam, Amsterdam, The Netherlands.
T
Tom M. van Engers
Informatics Institute, University of Amsterdam, Amsterdam, The Netherlands.; Institute for Information Law, University of Amsterdam, Amsterdam, The Netherlands.; Leibniz Institute, TNO, Amsterdam/The Hague, The Netherlands.