Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

TL;DR

This work tackles the GDPR compliance burden in distributed data processing by introducing a case‑generic, human‑in‑the‑loop normative reasoning framework. It defines an ontology and formal semantics implemented in the eFLINT domain‑specific language and extends XACML to support GDPR‑based access and usage control in distributed systems. Through a detailed example of purpose graphs and multiple processing scenarios, it demonstrates how lawfulness arguments are constructed and how authorisations are generated or denied, enabling both ex‑ante control and ex‑post auditing for transparency and accountability. The approach emphasizes modularity, adaptability to evolving interpretations of GDPR, and clear separation between normative interpretation and system implementation, with integration patterns and governance roles laid out for real‑world data sharing ecosystems.

Abstract

Compliance with the GDPR privacy regulation places a significant burden on organisations regarding the handling of personal data. The perceived efforts and risks of complying with the GDPR further increase when data processing activities span across organisational boundaries, as is the case in both small-scale data sharing settings and in large-scale international data spaces. This paper addresses these concerns by proposing a case-generic method for automated normative reasoning that establishes legal arguments for the lawfulness of data processing activities. The arguments are established on the basis of case-specific legal qualifications made by privacy experts, bringing the human in the loop. The obtained expert system promotes transparency and accountability, remains adaptable to extended or altered interpretations of the GDPR, and integrates into novel or existing distributed data processing systems. This result is achieved by defining a formal ontology and semantics for automated normative reasoning based on an analysis of the purpose-limitation principle of the GDPR. The ontology and semantics are implemented in eFLINT, a domain-specific language for specifying and reasoning with norms. The XACML architecture standard, applicable to both access and usage control, is extended, demonstrating how GDPR-based normative reasoning can integrate into (existing, distributed) systems for data processing. The resulting system is designed and critically assessed in reference to requirements extracted from the GPDR.

Figures (12)

• Figure 1: High-level diagrammatic representation of the system proposed in this paper. The system can be used in conjunction with existing policy enforcement mechanisms within a system.
• Figure 2: The enforcement process of an access control system. There is no further control after access has been granted and the resource is used.
• Figure 3: The enforcement process of a usage control system with continuous monitoring and control through compensating actions. The diagram is an adaptation of Figure 3a in Pretschner2006.
• Figure 4: A simplified version of the XACML architecture. Compared to version 3.0 of the standard, the context handler component has been omitted.
• Figure 5: An ontology establishing relations between concepts as defined in \ref{['sec:purpose-limitation']} and extended with a relation capturing processing requests. Concepts are represented as circles, relations as diamonds. Binary relations may be represented directly as a filled arrow between two concepts. The diagram shows only the legal basis relations derived from Art. 6(1)(a) and Art. 6(1)(f) for brevity.

Theorems & Definitions (9)

• Definition 1
• Definition 2
• Definition 3
• Definition 4
• Definition 5
• Definition 6
• Definition 7
• Definition 8
• Definition 9