DPVCG Meeting Call

21 SEP 2022


beatriz, georg, harsh, paul

Meeting minutes


Harsh presented DPV at SEMANTiCS last week, and Georg presented DPV at Alpine Privacy Days

The presentations were well received, and generated interest amongst the respective participants.

There were several questions about how DPV can be applied, where it is useful, and how it use it.

For this, we discussed the need for "tutorials" that provide a step-by-step pracitcal application of DPV towards some real use-case.

georg shared the interactions where participants wanted an "overview of processing" through the use of DPV, as in to know how they are using their personal data

For this, they need a "group of specifications" that can describe their different processes, services, or other similar abstractions. The aim is to then search through these and connect them to legal metadata as required.

Some participants at this event wanted to establish a sub-group within DPVCG to work specifically on creating a technology extension for their application and use-case.

georg will communicate the discussion of this within the group, and invite them to a future call to discuss how to best incorporate such sub-groups and work in alignment with DPVCG.

georg also mentioned a specific application where different departments or teams want to write information on what and how they use some service which is then sent to the DPO or legal team who add or interpret the legal concepts from these (e.g. for audit or approval).

In DPV, we have the dpv-tech which is intended for such use, but it is currently limited in scope. For such use-cases, the tech extension would be the primary vocabualry with dpv(-main) the extension.

TPAC Joint Meeting with ODRL

We had the joint meeting at W3C TPAC on SEP-12, with ODRL and DPVCG discusing how to collaborate.

Participants from DPV were harsh, beatriz, victor, and more (in addition to beatriz and victor) from ODRL.

The agenda was this was shared earlier (see https://lists.w3.org/Archives/Public/public-dpvcg/2022Sep/0001.html)

In the meeting, we discussed how ODRL and DPV relate to each other - the conclusion was that ODRL takes a general and formal approach to defining constraints and 'digital contracts', while DPV is specific to data protection / privacy.

This means DPV provide a succint and direct expression of metadata for its domain, which can be expressed more formally (and completely) using ODRL as a formal and standardised language.

The discussion also explored how DPV to ODRL (or vice-versa) converters can be created to assist with this.

The discussion also explored the overlap or relation between concepts - where ODRL's asset, party, action and other concepts have correspondences within DPV (e.g. personal data, legal entity, and processing respectively). The others are missing.

However, ODRL provides the ability to create specific profiles that can be a mechanism to integrate DPV within ODRL.

For more, see Victor's notes to the ODRL mailing list - https://lists.w3.org/Archives/Public/public-odrl/2022Sep/0012.html

The ODRL group is also discussing a v3 of their specification, with futher enrichments of concepts and how they are applied.

One of the topics that is common with DPV, is to create human-readable documentation from the metadata. For DPV, this could be privacy notices, which are easier since DPV's concepts are close to what is expected. For other uses (e.g. legal contracts) - ODRL would be more suitable given its explicit use of terms and contraints.

From this discussion, the conclusion regarding overlap between DPV and ODRL was that DPVCG does not want to repeat the work within ODRL in terms of providing a way to express contraints or rules.

What is desirable, however, is to provide some 'lightweight' mechanism to allow transition from DPV to ODRL or vice-versa.

Rules in DPV

The group (today) discussed what DPV should do regarding providing or expressing some form of 'rule', where the use-case is to express some things are permitted and some are prohibited.

The conclusion of this discussion was that the DPVCG should identify some 'minimum desirable concepts' and for the rest to point towards existing efforts at rule representation, such as ODRL.

At a minimum, we discussed the concepts `Permission`, `Prohibition`, and `Obligation` as common use-cases.

Two forms of rule expressions were identified - 1) where an entire personal data handling is expressed as being permitted or prohibited, e.g. using `hasRule with Permission`

2) where a single thing is expressed as permitted or prohibited, e.g. a data category that is specified as prohibited to be used.

The discussion did not reach a conclusion, but we discussed some examples of annotating a personal data handling instance using `hasRule` and a rule concept (see above).

Next Meeting

We will meet again in 1 week, on WED SEP-28 13:00 WEST / 14:00 CEST

Topics will be rules, data subject rights, and any other items put on the agenda.

Minutes manually created (not a transcript), formatted by scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).