Score
Interpreting and operationalizing legal and standards obligations for data and systems—such as GDPR, HIPAA, CCPA, and relevant ISO/NIST frameworks—by implementing data protection measures, documentation (DPIAs), audit trails, consent management, and compliance monitoring.
This study addresses the compliance challenges faced by data practitioners in machine learning systems under regulations such as the GDPR and the AI Act, particularly concerning data quality. Through semi-structured interviews with practitioners in the European Union, combined with thematic analysis of regulatory texts and engineering workflows, the research systematically uncovers a structural disconnect between regulation-driven data quality requirements and ML engineering practices. It identifies five core challenges: misalignment between legal principles and engineering implementation, fragmented data pipelines, lack of purpose-built compliance tools, ambiguous accountability, and reactive responses to audits. Building on these findings, the work proposes directions for designing compliance-oriented tooling, establishing effective governance mechanisms, and fostering cultural transformation to bridge the gap between regulatory mandates and practical ML development.
This paper addresses the challenges of GDPR compliance, ambiguous accountability, and high manual auditing costs in cross-organizational distributed data processing. Methodologically, it introduces the first automated compliance framework integrating legal expert judgment with formal reasoning: (i) a purpose-limitation–driven GDPR ontology and semantic model; (ii) a novel deep extension of eFLINT and XACML to support legally precise policy modeling and verifiable enforcement; and (iii) an automated normative reasoning engine that generates auditable legality justifications. Contributions include: transparent and accountable data access control; empirical validation across multiple distributed data space prototypes demonstrating completeness of legal argumentation, accuracy of policy enforcement, and seamless system integrability; and significant reduction in organizational compliance overhead and legal risk.
This paper addresses the regulatory misalignment between the EU’s Cyber Resilience Act (CRA) and the General Data Protection Regulation (GDPR). Using comparative legal analysis, requirements mapping modeling, and normative semantic parsing, it systematically establishes the first structured mapping of their security requirements. The study identifies six shared security requirements—spanning confidentiality, integrity, and availability—and originality distills seven novel core security obligations introduced by the CRA, clarifying how they extend and reconfigure existing compliance frameworks. By bridging a critical gap in requirements engineering driven by regulatory evolution, the work delivers a traceable, actionable cross-regulatory requirements alignment framework. This framework provides theoretical foundations and practical guidance for legally compliant security design across the full lifecycle of secure products.
This work addresses the limitations of existing data governance tools, which struggle to dynamically adapt to emerging regulations such as India’s Digital Personal Data Protection (DPDP) Act and often lack transparency and explainability, leading to inadequate compliance. To bridge this gap, the paper introduces the first goal-driven agent framework specifically designed for data compliance. The framework integrates a KYU Agent and a Compliance Agent that jointly leverage semantic understanding, user trust modeling, and data sensitivity reasoning, embedding regulatory logic directly into the system to ensure auditable and interpretable decisions. It incorporates anonymization strategies—including masking, pseudonymization, and generalization—and demonstrates significant improvements in DPDP compliance across ten domains, including healthcare, education, and e-commerce, enabling transparent, efficient, and cross-domain adaptive data governance.
This paper identifies systemic privacy risks in decentralized digital contact-tracing systems—exemplified by Germany’s Corona-Warn-App (CWA)—under the GDPR. Using the Standard Data Protection Model (SDM), it conducts the first structured Data Protection Impact Assessment (DPIA) to rigorously evaluate compliance of decentralized architectures. The analysis reveals that current implementations fail to achieve genuine anonymization, enabling re-identification of users; rely on invalid legal bases, as informed consent does not satisfy GDPR requirements for lawful processing; and harbor persistent high-risk vulnerabilities previously undetected or unremediated. Beyond application-specific flaws, the study uncovers cross-app privacy spillovers and fundamental rights infringements. It proposes a privacy-by-design framework centered on data minimization, strengthened anonymization techniques, and alternative lawful bases—offering both a reusable methodological paradigm and empirically grounded guidance for privacy-respectful public health technologies. (149 words)
Developers face significant practical challenges in implementing data privacy regulations (e.g., GDPR, CPRA) and lack adequate automated tooling to support compliance. Method: We conducted a mixed-methods study with 68 software developers—including structured surveys, in-depth interviews, and statistical modeling—to systematically identify their core requirements for privacy-compliance tools and the factors influencing those needs. Contribution/Results: We find that developers strongly prefer integrated, context-aware tooling; moreover, those with greater privacy experience place higher emphasis on tool reliability and legal alignment. Our analysis reveals a statistically significant positive association between developers’ privacy expertise and their demand for sophisticated, regulation-aware tool features. This study is the first empirical investigation centered explicitly on developers’ privacy-compliance enablement needs, thereby filling a critical gap in the literature. The findings provide foundational, evidence-based guidance for designing next-generation, generative-AI–powered privacy compliance automation tools.
This study addresses the compliance challenges faced by AI agents operating within the European Union’s complex, multi-regulatory environment, particularly those arising from behavior drift and insufficient transparency across multi-agent linkages. It presents the first systematic integration of key regulatory and policy instruments—including the Artificial Intelligence Act, the Cyber Resilience Act (CRA), Standardization Request M/613, and the GPAI Code of Conduct—into a unified compliance framework tailored for AI agents. By employing regulatory mapping, a behavioral taxonomy, and data flow tracing, the work establishes correspondences between nine deployment scenarios and relevant legal triggers, and proposes a twelve-step implementation pathway. The research underscores that high-risk AI agents exhibiting untraceable behavior drift cannot satisfy the core requirements of the AI Act, necessitating providers to comprehensively audit their agents’ external behaviors, data flows, interconnected systems, and impacted entities.
This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.
Policy-Based Access Control (PBAC) faces significant challenges in unified modeling and dynamic compliance assessment across multiple regulatory frameworks (e.g., GDPR, HIPAA, CCPA). Method: This paper proposes a semantic rule framework grounded in RDF/SPARQL, featuring an extensible compliance metamodel and domain ontology to enable structured representation of cross-regulatory provisions, context-aware policy reasoning, and automated compliance alignment. It integrates Semantic Web technologies—including RDF knowledge representation, SPARQL querying, and SWRL rule-based inference—with a lightweight reasoning engine to support formal policy specification, real-time enforcement, continuous monitoring, sensitive data discovery, and quantitative risk assessment. Contribution/Results: Experimental evaluation demonstrates that the framework substantially improves accuracy, interpretability, and maintainability of compliance assessments in multi-framework coordination scenarios, while enabling scalable, semantically rigorous, and operationally actionable governance.
This study addresses the widespread lack of compliance disclosures regarding data privacy regulations—such as GDPR and CCPA—in AI datasets hosted on the Hugging Face platform, which poses significant regulatory risks. For the first time, the paper introduces “compliance readiness” as a core dimension of dataset quality and systematically evaluates transparency in data provenance, processing workflows, and handling of sensitive information. Through an analysis of 11,682 public datasets—combining automated text mining of dataset cards with manual sampling and review—the research reveals that the vast majority fail to clearly document their creation processes or data sources, and only a small fraction explicitly identify sensitive fields such as personally identifiable information (PII). These findings highlight critical gaps in current practices and provide an empirical foundation for developing standardized tools and benchmarks for assessing dataset compliance.