# SAP Proposal ## Landscape * On 31 March 2023, the Italian data protection regulator, Garante per la Protezione dei Dati Personali, issued a temporary ban against OpenAI's ChatGPT for the use of personal information of millions of Italian citizens exploited for the AI’s training data. * Facebook’s Data Usage Policy Changes: In 2014, Facebook made changes to its data usage policy that allowed the platform to collect user data from external websites and apps, even if users weren’t actively using them. This change raised concerns about user consent and how data was being used beyond the Facebook platform. * Google’s Location Tracking Controversy: In 2018, an investigation revealed that Google continued to track users’ locations even when they had turned off location history. This sparked a debate about user consent and transparency in how location data is collected and used. * Uber’s “Location Data Access” Controversy: Uber faced criticism when it was revealed that the company had a feature that allowed it to continue tracking users’ locations for up to five minutes after their ride had ended. Users questioned whether they had provided informed consent for such data collection. * Apple’s App Tracking Transparency: Apple introduced the App Tracking Transparency feature in 2021, requiring app developers to obtain user consent before tracking their data across apps and websites owned by other companies. This move aimed to empower users to control their data and privacy. * Airbnb’s Data Sharing for Trust and Safety: Airbnb, the popular accommodation platform, collects and shares user data to enhance trust and safety among its users. This includes sharing host and guest information with third-party background check services to verify identities. * In October 2022, Clearview AI received a €20 million fine from the French data protection regulator, CNIL, for its facial recognition service that collected photographs of French individuals without a legal basis. * In February 2023, Italy's Garante acted against Replika, an AI chatbot, by requesting it to cease processing the data of Italian users. The concern stemmed from the lack of a proper legal basis for processing children's data in compliance with GDPR. * In May 2022, the Hungarian data protection authority fined Budapest Bank HUF 250 million (€665,000) for the use of an AI solution used to analyze voice recordings of calls conducted between its customers and the call center. The bank provided vague information on how the AI processed customer data, and both its data protection impact assessment and paperwork for the balancing test were in violation of GDPR. * In May 2023, Samsung Electronics Co. implemented a ban on employee usage of generative AI tools, including ChatGPT, following the discovery that employees uploaded sensitive code to the platform. The decision was driven by concerns that data transmitted to AI platforms like Google’s Bard and Bing are stored on external servers, posing challenges for retrieval and deletion, and potentially leading to unintended disclosure to other users. ## Solution * Decentralised Training Data Attribution and Consent Management Platform * Verifiable Data Registry as a single source of truth for records of consent * Cryptographic demonstration of compliant opt-in * Consent opt-out available through open and public interfaces, independent of the data and consent collector's platform ## Challenges * Compliance * Incentivisation * Opt-out and default opt-in * Data and trained AI destruction after consent opt-out * Unstructured data * Origination ambiguity * Overwhelming consent request with granular consent causing consent fatigue * It is currently impossible to reverse the modifications made to an AI system by a single data point at the request of the data owner ## Actors * Data subject (DS) is a natural or legal person who owns and shares the data while defining privacy and security preferences, and dynamically manages consents (i.e., agree/deny, view, update, and withdraw) to collect and use personal data. Data subjects can also delegate consent rights and audit data collection and usage activity history, so they can withdraw given consent at any time if needed. * Data controller (DC) is a natural or legal person, public authority, or agency that determines why and how the personal data should be collected and/or used. DC safeguards shared personal data while providing tools for users to dynamically manage consent agreements and control access to their data. * Data processor (DP) refers to a party (i.e., a natural or legal person, public authority, or agency) that processes personal data on behalf of data controllers. A DP requests consent and access rights before collecting and/or processing personal data, while recording processing activity history on the blockchain. * Regulator (RG) denotes the supervisory authorities (i.e., the Office of the Data Protection Commissioner in the European Union) who regulate and control data protection regulations compliance and audit the transaction history to resolve conflicts. The regulator can assign, approve, and revoke membership profile roles. # Consent Management Model ## Overview This model outlines the structure and relationships of consent within a data management context. ## Components ### Context - **Purpose**: The reason for data processing. - **Territory**: The jurisdiction where data processing occurs. - **Operations**: The actions authorized on the data. #### Time Aspects - **Time:Period**: The duration for which consent applies. - **Time:Instant**: A specific point in time relevant to the consent. ### Consent - **DataSubject or Delegation**: The entity providing consent. - **Person or Delegation**: The entity consent is provided to. - **Consent Agreement**: Documentation or evidence of consent. - **Status**: The current state of the consent. #### Status Types - **ValidStatus**: Consent is currently active and valid. - *ImplicitlyGiven* - *ExplicitlyGiven* - *GivenByDelegation* - **InvalidStatus**: Consent is not valid or no longer valid. - *Requested* - *Refused* - *Withdrawn* - *Expired* - *Invalidated* ## Relationships - `Context` is defined by `Purpose`, `Territory`, and `Operations`. - `Consent` is granted for a `Time:Period` and at a `Time:Instant`. - `Consent` is granted by `DataSubject or Delegation` and to `Person or Delegation`. - `Consent` has a `Status` which is either `ValidStatus` or `InvalidStatus`. - `Consent Agreement` reflects the `Status` of consent. ### Example ```json { "Consent_Agreements": { "Consent_Agreement": [ { "AgreementNum": "202304-0009876543", "Type": "2", // 0-Default, 1-Delegated, 2-Emergency "Participants": [ { "by": "NewDataSubjectID", "to": "NewDataProcessorID", "controller": "NewDataControllerID" } ], "Resource": [ "https://cid.ipfs.io/#QmXxY...Zz9g", "https://cid.ipfs.io/#QmAaB...Ww8h" ], "Context": [ { "for": "Educational Research", "at": "2024-07-15 T09:45:00", "legal": "GDPR, Article 7.3" } ], "Constraints": [ { "from": "2024-07-15", "until": "2024-12-31", "in": ["Canada", "Japan"] } ], "Operations": ["ANALYZE", "ARCHIVE", "QUERY", "RETRIEVE", "UPDATE"], "Agreement": "DENIED", "Status": "INVALID" } ] } }
Last changed by  
Deepanshu Tripathi
15

Read more

CMC Objectives

Current system schema discovery

5/2/2024
CMC Proposal

focus on the 20% of requirements that satisfy 80% of the interoperability needs

4/16/2024
Real Estate Flows

Investor Signup

3/8/2024
AM-IL Real Estate Master Doc

ERC-3643

3/6/2024
Read more from Deepanshu Tripathi
Published on HackMD