Representing and Managing Consent for Data Sharing with Knowledge Graphs
1. Representing and Managing Informed User Consent
with Knowledge Graphs
by Anelia Kurteva
with inputs from Lisa Schupp, Manuel Buchauer,
Davide De Sclavis, Philip Handl and Anna Fensel
[NODES2020]
2. About me
• PhD Student at Semantic Technology
Institute (STI) Innsbruck, University of
Innsbruck
• Topic: “Representing and Managing
Informed User Consent with Knowledge
Graphs”
• Areas of interest:
• Knowledge graphs
• Consent
• Sensor data
• Data provenance
Contact:
Anelia Kurteva
anelia.kurteva@sti2.at
www.linkedin.com/in/aneliakurteva
📍Semantic Technology Institute
(STI) Innsbruck,
University of Innsbruck,
6020 Innsbruck, Austria
https://www.sti-innsbruck.at
3. Agenda
1. Consent and the GDPR
2. Representing consent with semantic technology
3. Managing consent
4. Knowledge graphs as a consent solution
5. Challenges
6. Future goals
4. The GDPR (General Data Privacy Regulation)1
• Applicable as of May 25th, 2018 in all member states to harmonize data privacy laws
across Europe.
• The main aim is to give control to individuals over their personal data.
• Introduced the notion of informed user consent.
• Non-compliance fine of up to €10 million, or 2% of the firm’s worldwide annual
revenue from the preceding financial year, whichever amount is higher.
1. https://gdpr-info.eu
5. 1. Consent according to the GDPR
”Consent of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or she, by a statement
or by a clear affirmative action, signifies agreement to the processing of personal data
relating to him or her”.
- Article 4(11) of GDPR
6. Informed user consent
The data subject should know:
• Who is the data controller?
• What kind of data will be used?
• For what purpose is the data required?
• How the data will be used?
• How the data will be processed?
• Where will the data be stored?
• With whom will the data be shared?
7. 2. Representing consent with semantic technology
Several ontologies exist: GConsent [1], CDMM [2], PrOnto [3], BPR4GDPR [4], SPECIAL-K [5],
DUO [6], ICO[7], The Neurona Ontologies [8], OntoPrivacy [9]
Common limitations:
• Too general
• Built for a specific use case
• Representing only consent (no information about the data or the processes)
• Do not model consent state changes
• Consent revocation is not defined
8. A new consent ontology (work in progress)
• Development environment: Protégé v. 5.5.0
• Defined the concept of a campaign (according to the CampaNeo2 and smashHit3
projects)
Campaign: a specific request for data sharing made from a company to the end
user.
2. The CampaNeo project: https://projekte.ffg.at/projekt/3314668
3. The smashHit project (funded by H2020): https://www.smashhit.eu
9. Sample Campaign “Roads of Innsbruck”
• The Tyrolean government wants to examine
which roads of Innsbruck and its
conurbation are heavily used in order to
determine if further investment is needed.
• A campaign called "Roads of Innsbruck” is
created and posted on the CampaNeo2
platform.
Data of Interest:
• GPS data from car drivers in the area
of Innsbruck and up to 15 km away.
• The data will be stored anonymously in a
central database in Kufstein owned by the
government itself.
• Upon user consent data will be shared with
STI Innsbruck for running a research on car
traffic at various time of the day.
10. • Reuse existing ontologies for:
• consent: GConsent [1], CDMM [2], PrOnto [3]…
• sensor data: OntoSensor [10], SDO [11], SSN [12]
• contracts: FIBO [13]
• data sharing: DSAP [14]
• Defined data processing
• Defined consent revocation
12. 3. Managing consent
What does it mean to manage consent?
Record consent
Validate consent
Revoke consent
Edit consent Restrict consent
All actions
according to GDPR
13. No. Project Start Date Finish Date Main Aim (s)
1 SPECIAL-K[5] 2017 2019
Support the acquisition of user consent at collection time and the recording of
both data and metadata.
2 CitySpin[15] 2017 2020
Set foundations for effective Cyber Physical Systems (CPS) engineering by
investigating feasible system architectures, developing design approaches and
architectural patterns, and integrating suitable tools into a technology stack.
3 MIREL[16] 2016 2019
Provide products and services in legal reasoning and their deployment in the
market.
4 ADvoCATE[17] 2015 2019
Optimize delivery of oral health and wellbeing to the population in EU Member
States.
5 DALICC[18] 2016 2018
Supports the automated clearance of rights thus supporting the legally secure
and time-efficient reutilization of third-party data sources.
6 EnCoRe[19] 2008 2011
Develop mechanisms for consent revocation; raise awareness regarding user
rights.
7 CampaNeo[20] 2019 2022
Develop a platform for vehicle sensor data sharing which is GDPR compliant
and use machine learning for analysis and predictions.
8 smashHit[21] 2020 2022 A secure platform for data sharing and consent management.
Table 1. Consent Management Projects
14. Challenges
• Responsibilities
• Who is responsible for what?
• Who records the consent?
• Storage
• Where is consent stored?
• What privacy and security mechanisms are in place?
• Who has access to it? Can it be changed without the user’s knowledge?
• Implications of revoking consent
• How to revoke consent?
• What happens to the data and the processes once consent is revoked?
15. 4. Knowledge graphs as a consent solution
Benefits of knowledge graphs related to consent:
• Transparency (data is in both human-readable and machine-readable formats)
• Traceability (one can reuse ontologies for events, time to timestamp data)
• Knowledge discovery (discover patterns, inconsistencies, security and privacy
issues)
• Reasoning (GDPR compliance checking)
• Understanding connections between data (e.g. how a third-party gained access
to specific user data)
• Common understanding across all silos
18. Fig 5. Consent ontology visualization in Neo4j4 with Neosemantics(n10s)5
4. https://neo4j.com
5. https://neo4j.com/labs/neosemantics/4.0/
19. 5. Challenges
Visualizing consent to users:
• Information overload
• Privacy policies written in legalese
• Raising awareness about one’s rights
• Improve understandability
Representing consent:
• Record consent and its provenance
• Use consent for reasoning
• Comply with GDPR
20. 6. Future goals
• Build “standard” ontologies in the areas of:
• Consent
• Smart city
• Data sharing
• Contracts
• Collaborate
Want to get involved?
Follow smashHit on LinkedIn: https://www.linkedin.com/company/smashhit
Visit smashHit at: https://www.smashhit.eu
smashHit survey:
https://forms.office.com/Pages/ResponsePage.aspx?id=xg9EM8e3LEG7cw5wsBmNWu
aisqMzJb5MtoS6h3_ZC99URUJNTEg3Q0YyQjdTRTExV1ZBR0tOUkZYQS4u
22. References
[1] H. J. Pandit, C. Debruyne, D. O’sullivan, and D. Lewis, “GConsent-A Consent Ontology based on the GDPR,” [Online]. Available:
https://w3id.org/GConsent
[2] K. Fatema, E. Hadziselimovic, H. Pandit, C. Debruyne, D. Lewis, and D. O’sullivan, “Compliance through Informed Consent: Semantic
Based Consent Permission and Data Management Model,” International Semantic Web Conference (ISWC), 2017.
[3] M. Palmirani, M. Martoni, A. Rossi, C. Bartolini, and L. Robaldo, ”Pronto: Privacy ontology for legal compliance,” vol. 2018-Octob.
Springer International Publishing, 2018.
[4] G. Lioudakis and D. Cascone, “Compliance Ontology - Deliverable D3.1,” [Online]. Available: https://www.bpr4gdpr.eu/wp-
content/uploads/2019/06/D3.1-Compliance-Ontology-1.0.pdf, 2019.
[5] S. Kirrane, J. D. Fernández, P. Bonatti, U. Milosevic, A. Polleres, and R. Wenning, “The SPECIAL-K Personal Data Processing Transparency
and Compliance Platform,” arXiv:2001.09461, [Online]. Available: http://arxiv.org/abs/2001.09461, 2020.
[6] S. O. M. Dyke, A. A. Philippakis, J. Rambla De Argila, D. N. Paltoo, E. S. Luetkemeier, B. M. Knoppers, A. J. Brookes, J. D. Spalding, M.
Thompson, M. Roos, K. M. Boycott, M. Brudno, M. Hurles, H. L. Rehm, A. Matern, M. Fiume, and S. T. Sherry, “Consent Codes:
Upholding Standard Data Use Conditions,” PLoS Genetics, vol. 12, no. 1, pp. 1–9, 2016.
[7] Y. Lin, M. R. Harris, F. J. Manion, E. Eisenhauer, B. Zhao, W. Shi, A. Karnovsky, and Y. He, “Development of a BFO-based informed
consent ontology (ICO),” CEUR Workshop Proceedings, vol. 1327, pp. 84–86, 2014.
[8] S. Torralba, N. Casellas, J.-E. Nieto, A. Meroño, Antoni, Roig, M. Reyes, and P. Casanovas, “The Neurona ontology: A data protection
compliance ontology,” The Intelligent Privacy Management Symposium, 2010.
[9] V. Bartalesi, R. Sprugnoli, A. Cappelli, V. Bartalesi, L. R. Sprugnoli, and C. Biagioli, “Modelization of Domain Concepts Extracted from the
Italian Privacy Legislation,” [Online]. Available: http://www.legal-rdf.org, 2007.
23. [10] D. Russomanno, C. Kothari, O. Thomas, “Building a Sensor Ontology: A Practical Approach Leveraging ISO and OGC Models,” In
Proceedings of the International Conference on Artificial Intelligence (ICAI 2005), Volume 2, Las Vegas, Nevada, USA, June 27-30,
2005.
[11] R. García-Castro, O. Corcho, C. Hill, “A Core Ontology Model for Semantic Sensor Web Infrastructures,” In International Journal on
Semantic Web and Information Systems 8(1), pp. 22-42, 2012.
[12] A. Haller, K. Janowicz, S. Cox, D. Phuoc, K. Taylor, M. Lefrançois, “Semantic Sensor Network Ontology,” In book: Semantic Web 10,
pp. 9–32, IOS Press, 2019.
[13] EDM Council, “The Financial Industry Business Ontology (FIBO),“ [Online]. Available at: https://spec.edmcouncil.org/fibo/.
[14] M. Li, R. Samavi, “DSAP: Data Sharing Agreement Privacy Ontology,” In the Semantic Web Applications and Tools for Healthcare
and Life Sciences (SWAT4HCLS) conference, Antwerp, Brussels, 2018.
[15] A. Azzam, P. R. Aryan, A. Cecconi, C. Di Ciccio, F. J. Ekaputra, J. Fernández, S. Karampatakis, E. Kiesling, A. Musil, M. Sabou, P.
Shadlau, and T. Thurner, “The CitySpin platform: A CPSS environment for city-wide infrastructures,” CEUR Workshop Proceedings,
vol. 2530, pp. 57–64, 2019.
[16] The MIREL Project, [Online]. Available: https://www.mirelproject.eu.
[17] K. Rantos, G. Drosatos, K. Demertzis, C. Ilioudis, A. Papanikolaou, and A. Kritsas, “ADvoCATE: A Consent Management Platform for
Personal Data Processing in the IoT Using Blockchain Technology,” In Innovative Security Solutions for Information Technology
and Communications, pp. 300–313, 2019.
[18] G. Havur, S. Steyskal, O. Panasiuk, A. Fensel, V. Mireles, T. Pellegrini, T. Thurner, A. Polleres, and S. Kirrane, “DALICC: A framework
for publishing and consuming data assets legally,” CEUR Workshop Proceedings, vol. 2198, pp. 1–4, 2018.
[19] The EnCoRe Project, [Online]. Available: https://www.hpl.hp.com/breweb/encoreproject/.
[20] The CampaNeo Project, [Online]. Available at: https://projekte.ffg.at/projekt/3314668.
[21] The smashHit Project, [Online]. Available at: https://www.smashhit.eu.