The INWEND project is an interdisciplinary research project funded by the German Federal Ministry of Education and Research (BMBF) in which business informatics specialists and lawyers from the Trier University have developed software that can make legal recommendations in a sub-area of data protection law. The project aimed to investigate the extent to which artificial intelligence methods can be used to support legal decision-making processes, specifically in data protection law.
The European General Data Protection Regulation (GDPR) has led to some legal uncertainty. Many companies, associations, and other institutions have sought legal advice on how to correctly implement the new law. Many citizens are also affected by the GDPR’s provisions, often without knowing it. Practically everybody incessantly deals with the personal data of others, and can thus quickly become an addressee of the provisions of the GDPR. However, for someone who blogs privately, shares photos on social media, or runs a fan page, it is far more difficult to understand and correctly apply these data protection regulations.
This may initially lead to an implementation deficit of data protection law; that is to say that entities may not (fully) comply with legal data protection requirements and specifications. Conversely, there is a risk that legal requirements will deter people from implementing desirable projects, even though they could have been implemented in conformity with data protection. Both consequences are unsatisfactory.
For this purpose, a knowledge-based system was designed and prototypically implemented that is able to provide suitable legal recommendations on specific issues in a limited sub-area of data protection law.
Specifically, the so-called household exception in Article 2(2)(c) of the GDPR was modelled by depicting different factual situations as cases - i.e. as pairs of problem and solution descriptions. This provision provides for an exception to the material scope of the GDPR in cases where personal data are processed by a natural person for the sole purpose of carrying out personal or family activities. In order to model the meaning of this provision by informatic means, typical decision-making scenarios were presented in the form of cases in which the features of the situation relevant to the decision were elaborated, weighted and combined with a legal assessment.
This knowledge base of cases was prepared in such a way that in new decision-making situations an assessment can be made regarding the relevance of the budgetary exception. For this purpose, the similarity between the current issue to be decided and the decision scenarios represented in the cases was used in the sense of case-based reasoning. After completion of the project, an ontology described in OWL and a set of around 200 cases exist, which together formalise and bundle the collected knowledge about the budgetary exception in Art. 2(2)(c) GDPR. This ontology, in turn, was used as the basis for a functional prototype that can collect the legally significant facts from the user and display a legal initial assessment to the user.
Der Prototyp wird über eine Webseite angesteuert, auf der der Benutzer die wesentlichen Angaben zu seinem Sachverhalt durch die Beantwortung von Fragen eingeben kann. Die Antworten des Benutzers werden sodann an einen Server übertragen, auf dem die eigentliche Beurteilung mithilfe des Fallbasierten Schließens erfolgt. Die ermittelten einschlägigen Fälle werden daraufhin an das Webinterface zurückübertragen und dem Nutzer in für Nichtjuristen verständlicher Form dargestellt.
The prototype is accessed via a website on which the user can enter the essential information about his or her case by answering questions. The user's answers are then transmitted to a server where the actual assessment is carried out using case-based reasoning. The relevant cases determined are then transmitted back to the web interface and presented to the user in a form understandable to non-lawyers.
The research team's paper entitled "INWEND: Using CBR to automate legal assessment in the context of the EU General Data Protection Regulation" is available here.