Closed anilturkmayali closed 4 months ago
In a tabular form, I share the content for some possible additions.
Interface/Interaction Between | Questions to Consider |
---|---|
Data Intermediaries (DI) & Consent Management | How can DIs ensure they follow the right steps to manage consent? |
Personal Data Intermediaries (PDI) & Consent Management | What special actions do PDIs need to take when dealing with personal data consent? Consent management differences between DI and PDI. |
DI & Data Space Governance Authorities (DSGA) | What do DIs need to do to comply with data governance rules in a data space? |
PDI & Data Space Governance Authorities (DSGA) | What do DIs need to do to comply with data governance rules in a data space? |
DI & PDI & Data Space Governance Authorities (DSGA) | How the interaction between DI and DSGA happens and how it differs from the one between DSGA PDI? |
DI & Legal Obligations | How the compliance checklist for a DI looks like? |
PDI & Legal Obligations | How the compliance checklist for a PDI looks like? How it's different from the DI one |
We need to discuss this section in the Rulebook WG. Personal Data Consent Management is part of the Participants Data Management Layer. In the dataspace it can only exist as a usage policy. Whether data is personal or not can only be properly processed at the data management and processing layers of a participant and thus GDPR Consent Management is NOT a function of the dataspace but rather a capability of the participant which needs to be expressed in the participant self-description and can be requested through policies.
There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.
There seems to be a strong misunderstanding as to where and how GDPR relevant processing happens. We need to create consensus on this and explicitly clear up the current confusion around Dataspace Roles and Personal Data Management.
My recommendation would be to NOT include this topic in the Rulebook, but rather prepare a separate position statement/blog post explaining this in relation to the Rulebook and RAM to keep those two publications focused on what IS included in a dataspace functional requirement/architecture.
see #64
There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.
This statement misunderstands the role of Personal Data Intermediaries (PDI) and the scope of GDPR compliance within dataspaces. Here's some elements of clarification:
There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.
This statement misunderstands the role of Personal Data Intermediaries (PDI) and the scope of GDPR compliance within dataspaces. Here's some elements of clarification:
- Recognition of PDIs in dataspaces: The PDI role is recognized and defined by the DSSC, as referenced in the glossary. PDIs are crucial actors for managing individual consents within dataspaces, ensuring compliance with GDPR.
- PDIs and GDPR Compliance: While GDPR Consent Management is a capability of participants, integrating PDIs ensures this function is seamlessly managed within the dataspace. PDIs act as mediators, ensuring all data transactions occur only after explicit consent is obtained from data subjects.
- Dataspace roles:
- PDIs enhance compliance and trust within dataspaces by providing dynamic consent management and empowering individuals with direct control over their data.
- They are not merely optional value-adding services but essential components for maintaining GDPR compliance and fostering trust in data sharing.
- Clarifying the Architectural Role: PDIs are integrated to manage the entire lifecycle of consents, ensuring they are always up-to-date and reflect individual preferences. This role is aligned with ensuring that all data transactions adhere to both the agreed contracts and specific consents provided by individuals.
@FelixBole please also join the regular meetings of the Working Group Rulebook to contribute to and follow the recent discussions.
@FelixBole - please, join the working groups for discussions like this. We have discussed this at length on multiple occasions.
a note on the reference to DSSC: The DSSC is not an organization that should develop net-new normative design documents for dataspaces, but rather survey the market and reference documents developed and proven in community driven organizations. Apparently this has not happened in their treatment of intermediaries, as their description of personal data intermediaries is not in line with how these are treated in most running dataspaces and what community consensus in organizations that define dataspace architecture is. It is content that will most likely have to be adjusted by the DSSC to better align with the reality of implemented dataspaces, working architectures and community agreed design documents.
Several updates to the IDSA Rulebook to address gaps in the guidelines regarding data intermediaries, personal data intermediaries, and consent management has been proposed. The updates aim to improve clarity and regulatory compliance in data space governance, especially concerning personal data handling. The suggested areas for enhancement should be able to show how the interaction is possible between these roles and a data space:
And some more clarifications relevant to this context:
Clarification of Roles between Data Intermediaries and Personal Data Intermediaries: Distinguish the operational and regulatory differences between data intermediaries and personal data intermediaries. Provide guidance on their unique interactions with data spaces, emphasizing the importance of privacy and consent in personal data intermediation.
Consent Management: Update the Rulebook to define expected behaviors of data intermediaries in consent management for both industrial and personal data. Outline distinct protocols that reflect the differing requirements for handling each type of data, with a particular focus on the privacy considerations for personal data.
Dataspace Governance Authority Responsibilities: Expand the Rulebook to detail the role of the Data Space Governance Authority in managing personal data. This includes enforcing data protection laws, managing consent, and ensuring ethical data use within the dataspace. Highlight the differences in responsibilities when dealing with industrial (non-personal) versus personal data.