<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Relevant Research Questions For Decentralised (Personal) Data Governance</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Anelia Kurteva</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Harshvardhan J. Pandit</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>ADAPT Centre, Dublin City University</institution>
          ,
          <addr-line>Dublin</addr-line>
          ,
          <country country="IE">Ireland</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Delft University of Technology</institution>
          ,
          <addr-line>Delft</addr-line>
          ,
          <country country="NL">The Netherlands</country>
        </aff>
      </contrib-group>
      <abstract>
        <p>Protecting and preserving individuals' personal data is a legal obligation set out by the European Union's General Data Protection Regulation (GDPR). However, the process of implementing data governance to support that, in a decentralised ecosystem, is still vague. Motivated by the need for lawful decentralised data processing, this paper outlines several relevant questions from legal, privacy and technology standpoints that need to be considered.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Decentralisation</kwd>
        <kwd>Data Governance</kwd>
        <kwd>GDPR</kwd>
        <kwd>Trust</kwd>
        <kwd>Privacy</kwd>
        <kwd>Semantic Web</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <sec id="sec-1-1">
        <title>1.1. How to describe and catalogue data for decentralised interoperability?</title>
        <p>In a decentralised ecosystem, resources (e.g. data) should be described in a way that supports
their interoperability by diferent services and machines to facilitate their discoverability, reuse
and correct interpretation of their use policies. Utilising a consistent RDF vocabulary such as
the Data Catalog Vocabulary (DCAT) 1, which is a W3C recommendation for describing datasets
and online services in a machine-readable format, can be a starting point. DCAT’s support for
semantically representing resources, their role within a system, the associated agents and the
ability to classify them in catalogues based on themes can help structure decentralised data
sharing and direct a service to a specific available resource that can be used for the specific
purposes. To use any such vocabulary to describe a decentralised resource it should be clear
what data exists in the resource and its availability in terms of what agent, when and for what
purpose can use it and it what way. Mechanisms that automatically ensure resource’s quality
and completeness (e.g. specification of its availability) based on the set standard resource
description format are needed as well.</p>
      </sec>
      <sec id="sec-1-2">
        <title>1.2. How to establish, trust, and verify identities in a decentralised system?</title>
        <p>Merely using the Web’s domain-based identity may not be suficient or even feasible in all cases.
For example, cases where identities may always need to be known - such as a company’s legal
identity for accountability purposes, while in other contexts the identity may need to be hidden
- such as to create a safe space for marginalised communities that use pseudonyms or identifiers
instead of their real names. The issue of how to issue and manage identity useful for ‘contextual
identification’ therefore also becomes an issue of trust to show or hide identities, to not misuse
it, counter malpractices such as fraud - without surveillance or exposing sensitive information
regarding private lives.</p>
      </sec>
      <sec id="sec-1-3">
        <title>1.3. How to identify and ensure security of data and processing in decentralised systems?</title>
        <p>Decentralised systems distribute the responsibilities for security mechanisms to be ensured and
enforced across three levels. First for data - which could be encrypted, hidden from discovery, or
be spread across locations. Second for data storage and transfer infrastructure, such as through
encrypted communications or access control. Third in the secure processing of data, where
involvement of multiple systems and actors establishes requirements for each actor to identify
and ensure security of data and processing taking place elsewhere to avoid to detect lapses in
security, such as failure to validate correctness or data breaches. While decentralisation reduces
the scale for afected data, it increases the severity as all sensitive data relating to a context or
individuals would be present within the single breached resource. Establishing accountability is
a challenge under the current cybersecurity and legal frameworks due to lack of precedent and
knowledge.</p>
      </sec>
      <sec id="sec-1-4">
        <title>1.4. How to support individuals in making sense of decentralised data sharing?</title>
        <p>
          It should be clear from the start if personal data (Art. 4(1)) and what specific categories of it
(Art. 9) will be processed. In such cases, even in decentralised settings, at least one of GDPR’s
legal basis for data processing should be met to be legally compliant. For consent to be a legal
base, it should be freely given, informed and unambiguous (Art. 7). Mediums for requesting
consent online, such as web cookies, often present ambiguous information regarding the data
processing, have deceptive design and dark patterns that are often invisible to a non-experts eye.
User agents that correctly interpret GDPR’s legal basis and their specific requirements and that
have knowledge of common dark patterns can be used to filter out deceptive cookie banners
and consent requests. This will also minimise the information overload and consent fatigue of
individuals and can help establish a level of trust in the agent and services that request access to
data. Consent requests via cookies are usually accompanied with privacy policies that outline
how data should be managed (i.e. gathered, used, disclosed). However, due to defining these
rules in legal language and their length, they are often overlooked by data subjects. This is the
case especially with non-experts who do not have the legal knowledge and patience to correctly
interpret the privacy policy’s content. To solve this, graph visualisations and UIs integrating
them have emerged as a possible solution to ease individuals’ comprehension [
          <xref ref-type="bibr" rid="ref2">2</xref>
          ].
        </p>
      </sec>
      <sec id="sec-1-5">
        <title>1.5. How to establish responsibility and foster accountability across actors in decentralised settings?</title>
        <p>
          Currently in centralised systems service providers are responsible for storing and processing
individuals’ data in a legally compliant way. In a decentralised system, data subjects are given
control and ownership of their data, which can be a burden [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ]. The responsibilities of agents
should be clearly defined, agreed upon and described within each resources’ metadata to establish
accountability and transparency. For example, each resource can be catalogued and licensed (e.g.
use of technology such as Data Licenses Clearance Center (DALICC) [
          <xref ref-type="bibr" rid="ref4">4</xref>
          ]). Machine-readable
contracts [
          <xref ref-type="bibr" rid="ref5">5</xref>
          ]) and consent [
          <xref ref-type="bibr" rid="ref6">6</xref>
          ], outlining each actors’ duties and responsibilities, can also be
defined with specific service providers to minimise consent fatigue.
        </p>
      </sec>
      <sec id="sec-1-6">
        <title>1.6. How to balance the legal obligations and responsibilities for decentralised actors?</title>
        <p>Regulatory frameworks such as the GDPR are based on the conventional notions of centralised
organisations collecting and managing data (as Controllers) that may utilise other actors to
process it on their behalf (as Processors). The interpretation of such regulations towards
decentralised solutions is unknown, which creates uncertainty, which ultimately hinders progress.
Blindly charging forth with innovation may therefore end up not only harming the individuals
involved, but also the service providers who want to develop new markets. A pragmatic and
proactive solution therefore is to create solutions that function within the existing established
boundaries of law, while developing new interpretations or legislations to facilitate further
decentralisation. For example, there are no circumstances where users shouldering all the
legal responsibilities of being a Controller have greater ‘freedom’, and instead will only face
‘burdens’ and ‘exploitation’ from lack of knowledge or willingness. Therefore a reasonable path
forward is to identify mechanisms that either establish responsibilities, such as through model
contracts for decentralised infrastructure and service providers, or to share responsibilities, such
as through community bargaining and gatekeepers. While these happen, we should also engage
with lawmakers and authorities to provide formal guidelines for the same and to develop future
legislations. Of note, the European Union has already passed the Data Governance Act and has
proposed Data Spaces that advance this conversation.</p>
      </sec>
      <sec id="sec-1-7">
        <title>1.7. How to develop infrastructure and tools for decentralised systems?</title>
        <p>In order to set up decentralised systems and services, an essential requirement is the availability
of necessary infrastructure and tooling. For example, identity providers, data and processing
associated resources - such as for storage, querying, computing, etc. - as well as specific tools
for developers to create and users to consume and manage these resources. Before researching
new methods to achieve the intended functionality, it is also necessary to enquire whether
any of the existing tools and services can be reused or repurposed to provide all or some of
the requirements. Where the market ecosystem has well established practices based on formal
or de-factor standards, its reuse would be beneficial to increase the penetration and adoption
of decentralised systems. For example, cloud technologies have reached the stage where they
are widespread, are the subject of extensive standardisation, and have regulatory frameworks
guiding responsible usage. Can we identify the "innovation" such existing technologies require to
realise the decentralised vision and push market actors to developed these based on new markets
and values? In parallel, existing infrastructure also has useful governance structures that can aid
in resolving some of the pending issues with decentralisation. For example, rather than thinking
of decentralisation as separation of independent nodes, we can establish decentralisation as
communities where trust of services could be managed with gate-keeping or certification
mechanisms such as that used within the app stores. For all the above, the existence of standards
or common specifications is not a strict necessity, but will certainly accelerate development and
adoption.</p>
      </sec>
      <sec id="sec-1-8">
        <title>1.8. What is required to develop efective tools for automation in decentralised systems?</title>
        <p>Automation requires machine-readable information, which also needs to be interoperable if
it is to be shared between systems. While we are a community that propagates semantic
interoperability to achieve decentralisation, the key question to ask ourselves is this: “Can we
ever reach an agreement to develop a standard?” for any of the described topics here. While we
have a variety of W3C recommendations as standards, and several tools and ontologies - often
arising from large projects, we have neither seen their wider adoption and thus efectiveness ,
nor their acknowledgement as being superior. So the first requirement for the community is
identifying what “standards” exist and what standards should exist - and from this creating a
roadmap for achieving those. The second requirement is engaging with stakeholders to establish
the minimum requirements agreeable to all, and codifying those as a standard to provide a
guiding framework for interoperable solutions. The third requirement is then extending this
standard with opinionated tools and methodologies to create operational services.</p>
      </sec>
    </sec>
    <sec id="sec-2">
      <title>2. Conclusions</title>
      <p>
        Decentralised systems are not identical replications spread over multiple locations, but instead
facilitate diversity and variance while relying on commonality to communicate and
interoperate. Therefore, as long as we have a common vocabulary (e.g. Data Privacy Vocabulary
(DPV)2[
        <xref ref-type="bibr" rid="ref7">7</xref>
        ]) that can be semantically expressed and whose interpretation is well-defined , we can
have decentralised solutions that act in a predictable manner while being free to perform with
any technology or tools that they prefer to use. All of the above research questions that we have
outlined should therefore be reframed to ask how to reach an agreement on communication of
that topic between decentralised systems.
      </p>
    </sec>
    <sec id="sec-3">
      <title>Acknowledgments</title>
      <p>Anelia Kurteva is financially supported by the RePlanIT project funded by a Topsector Energy
subsidy from the Ministry of Economic Afairs and Climate Policy in the Netherlands. The
author thanks Ruud Balkenende and Alessandro Bozzon for their support and supervision.
Harshvardhan J. Pandit’s research was conducted with the financial support of Science
Foundation Ireland at ADAPT, the SFI Research Center for AI-Driven Digital Content Technology at
Dublin City University 13/RC/2106_P2. For the purpose of Open Access, the author has applied
a CC BY public copyright license to any Author Accepted Manuscript version arising from this
submission.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>A. V.</given-names>
            <surname>Sambra</surname>
          </string-name>
          ,
          <string-name>
            <given-names>E.</given-names>
            <surname>Mansour</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Hawke</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Zereba</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Greco</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Ghanem</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Zagidulin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Aboulnaga</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Berners-Lee</surname>
          </string-name>
          ,
          <article-title>Solid: a platform for decentralized social applications based on linked data</article-title>
          ,
          <source>MIT CSAIL &amp; Qatar Computing Research Institute, Tech. Rep</source>
          . (
          <year>2016</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>C.</given-names>
            <surname>Bless</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Dötlinger</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Kaltschmid</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Reiter</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kurteva</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A. J.</given-names>
            <surname>Roa-Valverde</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Fensel</surname>
          </string-name>
          ,
          <article-title>Raising awareness of data sharing consent through knowledge graph visualisation, in: Further with Knowledge Graphs</article-title>
          , IOS Press,
          <year>2021</year>
          , pp.
          <fpage>44</fpage>
          -
          <lpage>57</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>H. J.</given-names>
            <surname>Pandit</surname>
          </string-name>
          ,
          <article-title>Making sense of Solid for data governance</article-title>
          and
          <source>GDPR, Information</source>
          <volume>14</volume>
          (
          <year>2023</year>
          )
          <fpage>114</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>T.</given-names>
            <surname>Pellegrini</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Mireles</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Steyskal</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Panasiuk</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Fensel</surname>
          </string-name>
          , S. Kirrane,
          <article-title>Automated rights clearance using semantic web technologies: The DALICC framework</article-title>
          , Semantic Applications: Methodology, Technology, Corporate
          <string-name>
            <surname>Use</surname>
          </string-name>
          (
          <year>2018</year>
          )
          <fpage>203</fpage>
          -
          <lpage>218</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>A.</given-names>
            <surname>Tauqeer</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kurteva</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. R.</given-names>
            <surname>Chhetri</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Ahmeti</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Fensel</surname>
          </string-name>
          ,
          <string-name>
            <surname>Automated</surname>
            <given-names>GDPR</given-names>
          </string-name>
          <article-title>contract compliance verification using knowledge graphs</article-title>
          ,
          <source>Information</source>
          <volume>13</volume>
          (
          <year>2022</year>
          )
          <fpage>447</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>A.</given-names>
            <surname>Kurteva</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. R.</given-names>
            <surname>Chhetri</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H. J.</given-names>
            <surname>Pandit</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Fensel</surname>
          </string-name>
          ,
          <article-title>Consent through the lens of semantics: State of the art survey and best practices</article-title>
          , Semantic
          <string-name>
            <surname>Web</surname>
          </string-name>
          (
          <year>2021</year>
          )
          <fpage>1</fpage>
          -
          <lpage>27</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>H. J.</given-names>
            <surname>Pandit</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Polleres</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Bos</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Brennan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Bruegger</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F. J.</given-names>
            <surname>Ekaputra</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. D.</given-names>
            <surname>Fernández</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R. G.</given-names>
            <surname>Hamed</surname>
          </string-name>
          , E. Kiesling,
          <string-name>
            <given-names>M.</given-names>
            <surname>Lizar</surname>
          </string-name>
          , et al.,
          <article-title>Creating a vocabulary for data privacy: The ifrst-year report of data privacy vocabularies and controls community group (DPVCG), in: On the Move to Meaningful Internet Systems: OTM 2019 Conferences: Confederated International Conferences: CoopIS</article-title>
          , ODBASE,
          <string-name>
            <surname>C</surname>
          </string-name>
          &amp;
          <article-title>TC 2019, Rhodes</article-title>
          , Greece,
          <source>October 21-25</source>
          ,
          <year>2019</year>
          , Proceedings, Springer,
          <year>2019</year>
          , pp.
          <fpage>714</fpage>
          -
          <lpage>730</lpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>