by Sabrina Kirrane, and adapted for ERCIM News by Jessica Michel
The SPECIAL project (Scalable Policy-aware Linked Data Architecture For Privacy, Transparency and Compliance) addresses the contradiction between Big Data innovation and data protection compliance requirements by proposing a technical solution that makes the achievement of both of these goals realistic. SPECIAL allows citizens and organisations to share more data, while guaranteeing compliance with the General Data Protection Regulation (GDPR), thus enabling both trust and the creation of valuable new insights from shared data.
The value of the EU data economy was more than €285 billion in 2015, and is expected to rise to €739 billion by 2020 [L1]. The expectation is that the mining of Big Data will bring significant advances for business, science and society at large, however there are concerns with respect to privacy and data protection. In order to address this challenge, the European Commission-funded research and innovation action, SPECIAL, has enabled the trustful usage and sharing of personal data even across company borders. It does so by providing an “automated means using technical specifications” to support consent and transparency requirements that are specified in the European General Data Protection Regulation (GDPR).
The SPECIAL project [L2] has aimed to address the contradiction between Big Data innovation and privacy-aware data protection by proposing a technical solution that makes both of these goals realistic. To this end it has developed technology that: (i) supports the acquisition of user consent at collection time and the recording of both data and metadata (consent, policies, event data, context) according to legislative and user-specified policies; (ii) caters for privacy-aware, secure workflows that include usage/access control, transparency and compliance verification; (iii) demonstrates robustness in terms of performance, scalability and security all of which are necessary to support privacy preserving innovation in Big Data environments; and (iv) provides a dashboard with feedback and control features that make privacy in Big Data comprehensible and manageable for data subjects, controllers, and processors. SPECIAL thus allows citizens and organisations to share more data, while guaranteeing data protection compliance, enabling both trust and the creation of valuable new insights from shared data.
Early on in the project, the use cases (developed from Telecoms and Financial Services industries) underwent a thorough legal and technical analysis. Both the uses cases and the insights gained from the analysis were used to develop the SPECIAL usage policy language and supporting vocabularies. Which, subsequently lead to the development of a log vocabulary that can be used to record data processing and sharing events, and the compliance checking algorithm that can be used for both ex-post and ex-ante compliance checking. Consequently, the legal partners worked closely with the technological development partners in order to provide a solutions based on the principles of privacy by design and privacy by default.
The resulting policy language and vocabularies formed the basis of initial discussions around standardisation. Towards this end, SPECIAL launched a W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) on May 25th 2018 (the day the GDPR came into effect). The objective of the DPVCG is to provide a platform for engagement with the wider community, to gather additional uses cases and to develop standard vocabularies that can be used for personal data processing consent, transparency and GDPR compliance [L2].
The SPECIAL architecture is presented in the figure provided. It has led to significant advances in the state of the art in the following concrete areas:
- From a policy perspective, SPECIAL builds upon sophisticated policy frameworks and existing standardisation efforts and adapts them so as to reach the right balance between the expressiveness and scalability of the usage control policy language.
- From a transparency perspective, SPECIAL enables data transactions (i.e. who shared what data with whom and under what usage conditions) to be stored in a manner that prevents tampering and repudiation from any of the involved peers (i.e. those owning, disclosing, and acquiring data, respectively), and to ensure that all recorded transactions have actually taken place.
- SPECIAL extends the Big Data Europe (BDE) platform, an open source and multi-purpose data management environment, with transparency and compliance checking capabilities.
- The SPECIAL dashboard is a generic visualisation platform that is able to show users the information that data controllers and processor know about them, and the relevant metadata (policies, event data, context) attached to this data. While, the consent and control interfaces enable users to effectively manage permissions in an understandable manner.
Figure1: The SPECIAL Architecture. SPECIAL uses the Big Data Europe Integrator Platform of the EU-funded project Big Data Europe. BDE focuses on cross-community big data management and building innovative products or services with semantically interoperable, large-scale data assets. The Integrator Platform enables deployment of common big data technologies with minimal effort and forms the basis of the SPECIAL platform. It does not impose any restrictions on the data processing components with respect to the data being processed, how it is processed and how it is being disseminated. Within SPECIAL, this platform has been extended and adapted to create a system compliant with the European data protection framework, which encompasses, e.g., the protection of personal data by effective access control policies.
Vienna University of Economics and Business is the technical coordinator of the SPECIAL project. The consortium partners are the World Wide Web Consortium (W3C), the Unabhängiges Landeszentrum für Datenschutz, the Centro Regionale Information Communication Technology, the Technische Universität Berlin, TenForce, PROXIMUS/ Belgacom, Deutsche Telekom AG and Thomson Reuters/Refinitiv. The project is coordinated by the ERCIM Office. SPECIAL is formally closing at this time, with the European Commission congratulating the project on delivering exceptional results with significant impact.
If you would like to know more about the SPECIAL Approach toward GDPR consent, transparency and automated compliance checking, you can view a video that resulted from a webinar held on March 29th 2019 via the Big Data Value Association platform and is now available on YouTube [L4].
Links:
[L1] https://ec.europa.eu/digital-single-market/en/data-policies-and-legislation
[L2] https://www.specialprivacy.eu/
[L3] https://www.specialprivacy.eu/related-projects/dpvcg-w3c
[L4] https://www.youtube.com/watch?v=RKwINcaBXlE
Please contact:
Sabrina Kirrane
Scientific and Technical Coordinator of SPECIAL
Vienna University of Economics and Business, Austria
Jessica Michel
Administrative and Financial Coordinator of SPECIAL
ERCIM Office