A Solid use case to empower and protect data subjects: Responsibilities under GDPR for governance of personal data stores

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2025-04-13 DOI:10.1016/j.clsr.2025.106133

Michiel Fierens , Harshvardhan J. Pandit , Aurelia Tamo-Larrieux , Kimberly Garcia

{"title":"A Solid use case to empower and protect data subjects: Responsibilities under GDPR for governance of personal data stores","authors":"Michiel Fierens , Harshvardhan J. Pandit , Aurelia Tamo-Larrieux , Kimberly Garcia","doi":"10.1016/j.clsr.2025.106133","DOIUrl":null,"url":null,"abstract":"<div><div>Decentralised data governance has emerged as an alternative model in response to the challenges of managing data and privacy in conventional centralised models. ‘Personal Data Stores’ (PDS) are at the forefront of this movement and provide forms of control over storage and management of data to the individual with the goal of empowering them. In this article, we argue how PDS, while being important technological innovations, are challenging to implement in the current regulatory landscape as the interpretation of responsibilities under the GDPR is woefully inadequate for decentralised systems. This represents a challenge to the decentralisation movement and makes it difficult to empower and protect individuals under the GDPR (data subjects) using PDS. A thorough understanding of the technological and legal situation and therefore an interdisciplinary approach is essential to make policymakers aware of any efforts that still need to be made to realise the decentralisation paradigm's goal. We therefore build upon research investigating GDPR compliance in decentralised data storage and management but do so through an interdisciplinary lens applied to an emerging application, Solid, that provides technical specifications for implementing it as the leading PDS implementation. By taking an interdisciplinary approach, we consider the interaction between the legal definitions from the GDPR and the implications of established case law with Solid's technical specifications and its possible implementations. We conclude with recommendations regarding the division of responsibilities for policymakers, authorities, market participants and technical developers to simultaneously protect and empower those involved in the use of PDS, particularly through Solid. Furthermore, the role of decentralised systems such as Solid is discussed, as well as the current unclear regulatory landscape surrounding it in the context of implementing the Data Governance Act (DGA). The implications for further AI development and within data spaces are also considered.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"57 ","pages":"Article 106133"},"PeriodicalIF":3.3000,"publicationDate":"2025-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2212473X25000069","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

Decentralised data governance has emerged as an alternative model in response to the challenges of managing data and privacy in conventional centralised models. ‘Personal Data Stores’ (PDS) are at the forefront of this movement and provide forms of control over storage and management of data to the individual with the goal of empowering them. In this article, we argue how PDS, while being important technological innovations, are challenging to implement in the current regulatory landscape as the interpretation of responsibilities under the GDPR is woefully inadequate for decentralised systems. This represents a challenge to the decentralisation movement and makes it difficult to empower and protect individuals under the GDPR (data subjects) using PDS. A thorough understanding of the technological and legal situation and therefore an interdisciplinary approach is essential to make policymakers aware of any efforts that still need to be made to realise the decentralisation paradigm's goal. We therefore build upon research investigating GDPR compliance in decentralised data storage and management but do so through an interdisciplinary lens applied to an emerging application, Solid, that provides technical specifications for implementing it as the leading PDS implementation. By taking an interdisciplinary approach, we consider the interaction between the legal definitions from the GDPR and the implications of established case law with Solid's technical specifications and its possible implementations. We conclude with recommendations regarding the division of responsibilities for policymakers, authorities, market participants and technical developers to simultaneously protect and empower those involved in the use of PDS, particularly through Solid. Furthermore, the role of decentralised systems such as Solid is discussed, as well as the current unclear regulatory landscape surrounding it in the context of implementing the Data Governance Act (DGA). The implications for further AI development and within data spaces are also considered.

查看原文本刊更多论文

授权和保护数据主体的可靠用例：GDPR下管理个人数据存储的责任

分散式数据管理已成为一种替代模式，以应对在传统集中式模式下管理数据和隐私所面临的挑战。个人数据存储"（PDS）走在了这一运动的前列，它为个人提供了控制数据存储和管理的形式，目的是赋予个人权力。在本文中，我们将论证个人数据存储系统虽然是一项重要的技术创新，但在当前的监管环境下如何实施却具有挑战性，因为 GDPR 下的责任解释对于分散式系统来说非常不足。这是对权力下放运动的挑战，也使得使用 PDS 难以根据 GDPR 授权和保护个人（数据主体）。对技术和法律状况的透彻了解以及跨学科方法对于让政策制定者意识到为实现去中心化范式的目标仍需做出的努力至关重要。因此，我们在对分散式数据存储和管理中的 GDPR 合规性进行研究的基础上，通过跨学科视角对 Solid 这一新兴应用程序进行研究，为实施 Solid 这一领先的 PDS 实施方案提供技术规范。通过采用跨学科方法，我们考虑了 GDPR 的法律定义和既定判例法的影响与 Solid 的技术规范及其可能实施之间的互动。最后，我们就政策制定者、管理机构、市场参与者和技术开发者的责任分工提出建议，以便同时保护和增强参与使用 PDS（尤其是通过 Solid）的人员的能力。此外，我们还讨论了 Solid 等去中心化系统的作用，以及在实施《数据治理法》（DGA）的背景下，目前围绕该系统的不明确的监管环境。此外，还考虑了人工智能的进一步发展和数据空间内的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.