Digitale Ökosysteme: Datensouveränität

Technology-independent data sovereignty: our new innovative ODRL profile has been published

In today’s world, ensuring data sovereignty is crucial. We are pleased to present the latest advances in the area of data usage control, specifically in the area of policy specification: The ODRL profile for data sovereignty. We have extended the standardized ODRL policy language to include the specification of data sovereignty requirements. Our MYDATA Control Technologies have also been adapted to technically enforce these data security requirements. Read this blog to find out more about developments in the field of data sovereignty and how our innovations are improving the way data is handled.

Introduction and background on data sovereignty in the International Data Space

What is data sovereignty?

In an increasingly networked world, the exchange of data is becoming a central component of many business processes and technological innovations. Ensuring data sovereignty plays a crucial role in this. The goal of data sovereignty is for data owners to retain full control over their data, regardless of where and by whom it is used. Clear guidelines and technical standards are needed to ensure this control.

The International Data Space (IDS) is an initiative that aims to create a secure, cross-domain data space that enables companies of different industries and sizes to manage their data confidently. The basis for this is a reference architecture model that was developed by twelve institutes of the Fraunhofer-Gesellschaft as part of a research project funded by the German Federal Ministry of Education and Research. The initiative has a European and international focus and was later institutionalized in the form of the registered association International Data Spaces Association (IDSA).

One of the aims of the International Data Space (IDS) is to safeguard the digital sovereignty of data owners, thereby also forming the basis for smart services and innovative business processes. The initiative was launched at the end of 2014 and aims to establish both development and use at a European and international level.

Our work on data sovereignty

Data usage control is one way to ensure and practically implement data sovereignty. More than ten years ago, Fraunhofer IESE started research in the area of data usage control, which is an important component of informational self-determination. Based on this expertise, we also represented and managed the topic of data sovereignty as part of the IDS project (Data Usage Control in the International Data Space).

As part of the IDS project, we dealt with the topics of policy specification, policy management, contract negotiation and policy enforcement. This article deals specifically with the topic of policy specification.

Policy specification is about extracting usage control policies and specifying them using policy languages. A policy language can be technology-independent or technology-dependent. A technology-independent policy language is often machine-readable and can be used as a common language that is understood by all partners, data providers and data users. It is therefore well suited as a basis for negotiations. A technology-dependent policy language, on the other hand, is based on the underlying technology. In contrast to technology-independent policies, technology-dependent policies can be interpreted in such a way that technical enforcement is possible in the respective systems. An example of such a technology-dependent language is the MYDATA Policy Language of MYDATA Control Technologies. MYDATA Control Technologies is a framework for data usage control implemented by Fraunhofer IESE. This technical solution can interpret these technology-dependent policies and enforce them technically within the respective system.

ODRL as a policy language for the exchange of data sovereignty requirements

What is ODRL?

ODRL (Open Digital Rights Language) is a standardized policy language that was developed to define rights, obligations and restrictions in relation to digital content. It enables companies and organizations to precisely define how their data should be used, shared and protected. ODRL is technology-independent and is well suited for creating detailed rules to ensure that data is only used in accordance with the specified conditions.

Due to its technology independence, ODRL was selected as the policy language for the data sovereignty requirements during the IDS project. A strength of ODRL is its specific customizability through the use of ODRL profiles. An ODRL profile is essentially a specific configuration of the ODRL language that allows it to accommodate the unique requirements of a company or organization. These profiles are flexible and can be adapted to different scenarios. To ideally map requirements from the area of data sovereignty, we have therefore developed our own ODRL profile as part of the IDS project. With this profile, we have created the possibility of mapping data sovereignty requirements with ODRL regardless of underlying technology. Our policy editor helps with the specification, translation, interpretation and transfer between the two policy languages.

Our own ODRL profile for the specification of data sovereignty requirements

ODRL profile for the specification of data sovereignty

Our ODRL Profile for Data Sovereignty (ODS), extends the core ODRL information model by defining terms that express usage restrictions, obligations and changes. This profile is particularly compatible with the XACML-based architecture of MYDATA Control Technologies, as it introduces usage control components such as the Policy Enforcement Point (PEP) and the Policy Execution Point (PXP). Data providers can specify the interface description and endpoint URI of their usage control components in the policies. This allows the technologies that enforce these policies to know where to retrieve information and where to perform an action.

Below is an example of a policy in ODRL that uses our profile presented here. This duty policy („duty“ in ODRL) specifies that a party must be notified when a data use has been authorized. A data usage control framework such as MYDATA Control Technologies implements a notification system and wraps it in a PXP component. If the policy specifies the endpoint URI of this PXP, the framework explicitly knows which notification system to call. This ensures that the duty is performed successfully.

ODRL Directive (Duty) which stipulates that a party must be notified when a data use has been authorized.
ODRL Directive (Duty), which stipulates that a party must be notified when a data use has been authorized.

Conclusion

Research in the field of data usage control is an essential building block for securing data sovereignty and informational self-determination. By developing and applying technology-independent and technology-dependent policy languages, such as the ODRL and MYDATA policy language, clear and precise guidelines can be created and enforced. In particular, the ODRL profile for data sovereignty developed in the IDS project impressively demonstrates how flexible and customizable such solutions can be. The integration of a standardized technology-independent policy language into our MYDATA Control Technologies enables reliable, effective and secure management of data usage policies at various levels, which is of enormous importance for companies and organizations.

Write to us if you have challenges in the area of data sovereignty and we will work together on customized solutions. You can find more information at MYDATA Control Technologies.