Enhancements to IDSA Rulebook on Data Intermediaries and Consent Management

[anilturkmayali]

Several updates to the IDSA Rulebook to address gaps in the guidelines regarding data intermediaries, personal data intermediaries, and consent management has been proposed. The updates aim to improve clarity and regulatory compliance in data space governance, especially concerning personal data handling. The suggested areas for enhancement should be able to show how the interaction is possible between these roles and a data space:

• Data Intermediaries
• Personal Data Intermediaries
• Data Space Governance Authorities
• Consent Management

And some more clarifications relevant to this context:

1. Clarification of Roles between Data Intermediaries and Personal Data Intermediaries: Distinguish the operational and regulatory differences between data intermediaries and personal data intermediaries. Provide guidance on their unique interactions with data spaces, emphasizing the importance of privacy and consent in personal data intermediation.

2. Consent Management: Update the Rulebook to define expected behaviors of data intermediaries in consent management for both industrial and personal data. Outline distinct protocols that reflect the differing requirements for handling each type of data, with a particular focus on the privacy considerations for personal data.

3. Dataspace Governance Authority Responsibilities: Expand the Rulebook to detail the role of the Data Space Governance Authority in managing personal data. This includes enforcing data protection laws, managing consent, and ensuring ethical data use within the dataspace. Highlight the differences in responsibilities when dealing with industrial (non-personal) versus personal data.

[anilturkmayali]

In a tabular form, I share the content for some possible additions.

Interface/Interaction Between	Questions to Consider
Data Intermediaries (DI) & Consent Management	How can DIs ensure they follow the right steps to manage consent?
Personal Data Intermediaries (PDI) & Consent Management	What special actions do PDIs need to take when dealing with personal data consent? Consent management differences between DI and PDI.
DI & Data Space Governance Authorities (DSGA)	What do DIs need to do to comply with data governance rules in a data space?
PDI & Data Space Governance Authorities (DSGA)	What do DIs need to do to comply with data governance rules in a data space?
DI & PDI & Data Space Governance Authorities (DSGA)	How the interaction between DI and DSGA happens and how it differs from the one between DSGA PDI?
DI & Legal Obligations	How the compliance checklist for a DI looks like?
PDI & Legal Obligations	How the compliance checklist for a PDI looks like? How it's different from the DI one

[PeterKoen-MSFT]

We need to discuss this section in the Rulebook WG. Personal Data Consent Management is part of the Participants Data Management Layer. In the dataspace it can only exist as a usage policy. Whether data is personal or not can only be properly processed at the data management and processing layers of a participant and thus GDPR Consent Management is NOT a function of the dataspace but rather a capability of the participant which needs to be expressed in the participant self-description and can be requested through policies.

There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.

There seems to be a strong misunderstanding as to where and how GDPR relevant processing happens. We need to create consensus on this and explicitly clear up the current confusion around Dataspace Roles and Personal Data Management.

My recommendation would be to NOT include this topic in the Rulebook, but rather prepare a separate position statement/blog post explaining this in relation to the Rulebook and RAM to keep those two publications focused on what IS included in a dataspace functional requirement/architecture.

[ssteinbuss]

see #64

[FelixBole]

There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.

This statement misunderstands the role of Personal Data Intermediaries (PDI) and the scope of GDPR compliance within dataspaces. Here's some elements of clarification:

1. Recognition of PDIs in dataspaces: The PDI role is recognized and defined by the DSSC, as referenced in the glossary. PDIs are crucial actors for managing individual consents within dataspaces, ensuring compliance with GDPR.
2. PDIs and GDPR Compliance: While GDPR Consent Management is a capability of participants, integrating PDIs ensures this function is seamlessly managed within the dataspace. PDIs act as mediators, ensuring all data transactions occur only after explicit consent is obtained from data subjects.
3. Dataspace roles:
   • PDIs enhance compliance and trust within dataspaces by providing dynamic consent management and empowering individuals with direct control over their data.
   • They are not merely optional value-adding services but essential components for maintaining GDPR compliance and fostering trust in data sharing.
4. Clarifying the Architectural Role: PDIs are integrated to manage the entire lifecycle of consents, ensuring they are always up-to-date and reflect individual preferences. This role is aligned with ensuring that all data transactions adhere to both the agreed contracts and specific consents provided by individuals.

[ssteinbuss]

There is no Personal Data Intermediary role defined in a dataspace, any attempt to build such a role would be purely custom by a dataspace that wants to create this role and outside of the architectural standards for a dataspace (it will fall under the "optional value adding services" category.

This statement misunderstands the role of Personal Data Intermediaries (PDI) and the scope of GDPR compliance within dataspaces. Here's some elements of clarification:

1. Recognition of PDIs in dataspaces: The PDI role is recognized and defined by the DSSC, as referenced in the glossary. PDIs are crucial actors for managing individual consents within dataspaces, ensuring compliance with GDPR.
2. PDIs and GDPR Compliance: While GDPR Consent Management is a capability of participants, integrating PDIs ensures this function is seamlessly managed within the dataspace. PDIs act as mediators, ensuring all data transactions occur only after explicit consent is obtained from data subjects.
3. Dataspace roles:

• PDIs enhance compliance and trust within dataspaces by providing dynamic consent management and empowering individuals with direct control over their data.
• They are not merely optional value-adding services but essential components for maintaining GDPR compliance and fostering trust in data sharing.

4. Clarifying the Architectural Role: PDIs are integrated to manage the entire lifecycle of consents, ensuring they are always up-to-date and reflect individual preferences. This role is aligned with ensuring that all data transactions adhere to both the agreed contracts and specific consents provided by individuals.

@FelixBole please also join the regular meetings of the Working Group Rulebook to contribute to and follow the recent discussions.

[PeterKoen-MSFT]

@FelixBole - please, join the working groups for discussions like this. We have discussed this at length on multiple occasions.

• PII Data and Personal Data Management is the responsibility of the data management system used by each participant.
• The policy set of a shared data asset can include details about PII Data and Personal Data, and demand certain ways of how this data is supposed to be treated. However, this is specific to the individual business process of the specific dataspace and is also specific to its semantic model(s).
• The Dataspace Protocol and its implementation is agnostic to personal data management (in that context personal data is just a payload and policies declare how it shall be processed)
• Personal Data Intermediaries are not a technical role in a dataspace (IDSA only has 2 technical roles: the Dataspace Governance Authority and the participant) and therefore can't be mandatory and thus are not part of the IDSA dataspace rulebook
• Personal Data Intermediaries as described by you are an enabling service and thus strictly optional and under the purview of the dataspace governance authority
• Personal Data Intermediaries are business roles outside the scope of a normative dataspace description and thus implementation specific to individual dataspaces (eg. Prometheus-X)
• The rulebook describes rules that are applicable to ALL dataspaces and have normative character, therefore dataspace specific/custom implementations are not in the scope of the IDSA Rulebook.

a note on the reference to DSSC: The DSSC is not an organization that should develop net-new normative design documents for dataspaces, but rather survey the market and reference documents developed and proven in community driven organizations. Apparently this has not happened in their treatment of intermediaries, as their description of personal data intermediaries is not in line with how these are treated in most running dataspaces and what community consensus in organizations that define dataspace architecture is. It is content that will most likely have to be adjusted by the DSSC to better align with the reality of implemented dataspaces, working architectures and community agreed design documents.