This document will provide a guide for using DPV with ODRL. Currently, it is a work in progress.
DPV Specifications: The [[DPV]] is the core specification that is extended by specific extensions. A [[PRIMER]] introduces the concepts and modelling of DPV specifications, and [[GUIDES]] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
The peer-reviewed article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards, with an earlier article (2019) covering how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
The following namespaces and prefixes are used throughout this document:
| prefix | URI |
|---|---|
| dpv | https://w3id.org/dpv# |
| ai | https://w3id.org/dpv/ai# |
| pd | https://w3id.org/dpv/pd# |
| loc | https://w3id.org/dpv/loc# |
| tech | https://w3id.org/dpv/tech# |
| eu-gdpr | https://w3id.org/dpv/legal/eu/gdpr# |
| dcterms | http://purl.org/dc/terms/ |
| dcat | http://www.w3.org/ns/dcat# |
| odrl | http://www.w3.org/ns/odrl/2/ |
| dpv-odrl | https://w3id.org/dpv/odrl# |
| xsd | http://www.w3.org/2001/XMLSchema# |
| ex | https://example.com/ |
The [[[ODRL-MODEL]]] recommendation is a W3C standard for the expression of policies regarding the usage of data and services. It allows the representation of rules (e.g., permissions, prohibitions, and obligations) in a domain-agnostic manner. These rules allow, deny, or oblige parties to perform actions over assets, which can be further restricted using constraints and duties.
Since ODRL is a domain-agnostic policy language, DPV can be used as a controlled vocabulary for invoking privacy and data protection-specific terms within deontic logic-based policies.
The mapping of how each DPV term should be used within an ODRL policy is being developed by the DPVCG at https://w3id.org/dpv/mappings/odrl#, following the best practices documented in the ODRL V2.2 Profile Best Practices report. This mapping is also represented in machine-readable form as an ODRL profile.
The following subsections provide examples of ODRL policies that use the developed mapping.
DPV entities can be used as assigners or assignees of ODRL policies, as well as a left operand to filter ODRL party collections.
DPV processing operations can be used as actions of ODRL policies,
which can be further restricted using constraints,
e.g., dpv-odrl:Location as a left operand to restrict processing to a certain location.
DPV data and personal data types can be used as assets of ODRL policies, as well as a left operand to filter ODRL asset collections.
DPV's technology concepts, including AI systems and models terms, can be used as assets of ODRL policies, as well as a left operand to restrict the usage of a certain asset to a particular type of technology.
DPV's purpose concepts can be used as a left operand to restrict the usage of a certain asset to a purpose, e.g., research and development.
DPV's technical and organisational measures concepts can be used as a left operand to restrict the usage of a certain asset if there is a certain measure in place.
DPV's location concepts can be used as a left operand to restrict the usage of a certain asset to a certain location.
DPV's law and legal basis concepts can be used as a left operand to indicate applicable laws and legal basis that justify the usage of a certain asset.
DPV's duration and frequency concepts can be used as a left operand to indicate how long and how many times a certain asset can be processed.
DPV's rights and justification concepts can be used as left operands to indicate applicable rights and justifications for the processing of a certain asset.
DPV's risk concepts can be used as left operands to indicate risks associated with using certain services or processing data, as well as additional risk assessment parameters such as impacts or likelihood levels.
DPV's sector concepts can be used as left operands to indicate the sector in which certain services or data can or cannot be used.
DPV's status concepts can be used as left operands to indicate the status of a certain process or activity.
DPV's processing concepts can be used as left operands to indicate further contextual processing information related to a certain process or activity.
DPV's permissions, prohibitions and obligations can be mapped to ODRL's permissions, prohibitions and duties, respectively.
Beyond specifying examples, we recommend the usage of [[SHACL]] shapes to validate DPV-ODRL-based policies. While such shapes already exist to validate core ODRL constructs, the same exercise is needed for the policies described in this mapping, in particular to validate the usage of left operands. In this context, the ODRL vocabulary has a set of 12 defined constraint operators to express the relation between left and right operands. Given that multiple operators can be used to restrict this relation, the left operand and operator usage should be refined for each left operand. As such, the following template for a SPARQL-based SHACL constraint can be used to detect the usage of an invalid operator for a given left operand.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019. Continued developments have been funded under: RECITALS Project funded under the EU's Horizon program with grant agreement No. 101168490.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Beatriz Esteves have received funding through the the INESData project - Infrastructure to Investigate Data Spaces in Distributed Environments at UPM, (TSI-063100-2022-0001), a project funded under the UNICO I+D CLOUD call by the Ministry for Digital Transformation and the Civil Service, in the framework of the recovery plan PRTR financed by the European Union (NextGenerationEU); and from SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10), and by the imec.icon project PACSOI (HBC.2023.0752) which was co-financed by imec and VLAIO; and thePROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497.
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre; and the AI Accountability Lab (AIAL) which is supported by grants from following groups: the AI Collaborative, an Initiative of the Omidyar Group; Luminate; the Bestseller Foundation; and the John D. and Catherine T. MacArthur Foundation.