5. Gaia-X Implementation of Trusted Data Transactions¶
Enabling digital transformation and developing innovative services requires timely access to relevant data, potentially aggregated from multiple sources or suitably transformed, to generate valuable insights.
Note
Data means any digital representation of acts, facts or information and any compilation of such acts, facts or information.
However, data sharing across organizations is often hindered by stakeholder resistance, governance policies, lack of appropriate tools, and challenges in addressing regulatory constraints:
- For data producers, sharing personal or non-personal data involves legal risks (e.g., GDPR violations due to lack of consent), industrial risks (e.g., disclosure of intellectual property or trade secrets), and reputational risks (e.g., public backlash if shared data is misused), while local benefits of data sharing are rarely evident.
- For data consumers, usage rights and restrictions are often unclear, not formally defined, or expressed in legal terms that are difficult to verify and enforce automatically.
- For legal and compliance teams, data access and governance processes are fragmented, and verifying lawful data usage is complex and resource-intensive.
Note
Consumer is a participant who searches service offerings and consumes service instances in the Gaia-X Ecosystem to enable digital offerings for end users.
This complexity often leads to overly cautious decisions, with a default stance of “stop and assess,” delaying data sharing and hindering digital transformation and competitive advantage.
To overcome these barriers, trust mechanisms must be established throughout the data sharing process. Data rights holders need to define usage constraints with confidence that they will be enforced. Data consumers require assurance that the data is authentic and that its use is authorized. Conversely, data providers must verify that recipients are authorized to receive the data.
This chapters outlines how the core architectural elements of the Gaia-X Trust Framework may be extended to allow the implementation of a common foundation of trust for conducting trusted data transaction (The allusion to the CEN Workshop of the same name, CEN WS TDT, is not by accident). Note that organizations need to complement the elements related to trust as depicted in this chapter with additional mechanisms for controling and performing the actual data exchange as being standardized, for instance, by the Eclipse Dataspace Working Group.
5.1 Data Product Conceptual Model¶
The Gaia-X Data Product conceptual and operational models provide these trust mechanisms and enable data rights holders to control how their data are used and by whom (this is called data sovereignty). They also support compliance with European data regulations, including the GDPR and the Data Act. They are fully described in the Data Exchange Document and the main aspects are summarized below.
Figure 5.1 - The Gaia-X Data Product Conceptual Model
Data is furnished by Data Producers to Data Providers who compose them into a Data Product to be used by Data Consumers. Data Products are Service Offering related to Data.
5.2 Understanding Data Usage Agreement (DUA)¶
Before using data that is attached to a specific license, Data Usage Agreement (DUA) must be signed by the Data Rights Holder and the Data Consumer. The signed Data Usage Agreement (a) gives Data Consumer the legal authorization to use the data in accordance with the constraints specified by the Data Rights Holder and (b) gives Data Rights Holder the assurance that the Data Consumer commits to respect these constraints.
Data Usage Agreements contain two sets of constraints: the Data Access Prerequisites, which are enforced by the Data Provider before delivering access to the data, and the Data Usage Constraints, which are outside the scope of the Data Provider and shall be respected by the Data Consumer when using the data.
Data Usage Agreements are notarized by a Data Usage Agreement Notary (DUA Notary) and can be revoked at any time.
A DUA Notary is a specialization of a Notary (see Section 4.4.2) validating the existence of a legally binding (e.g., signed by both parties, not revoked) Data Usage Agreement between a Data Producer and a Data Consumer.
The signed Data Usage Agreement is communicated to the Data Provider, who must check that the DUA is not revoked (through the DUA Notary) and that all the Data Access Prerequisites are fulfilled. This check must be done before each Data Access delivery (i.e. each time the Data Access is provided to the Data Consumer, especially for recurrent data access).
To support the right to oblivion, it is recommended that the ecosystem defines a general policy mandating each Data Consumer to check that the Data Usage Agreement is not revoked before reusing the data (even internally, when they don’t request new Data Access from the Data Provider).
Note
Implementation of the general policy by a participant depends on its own internal data management procedures and it is outside the scope of Gaia-X.
The Data Usage Agreement concept is a general concept which addresses any kind of licensed data and hence encompasses also the concepts of Consent from GDPR and of Permission from the EU Data Act. In case of data liable to legal regulation (e.g. GDPR or Data Act), the Data Usage Agreement must contain all information required by the regulation (especially, the purpose of usage).
Mapping of Gaia-X concepts with concepts used in EU data regulation
The following table maps the Gaia-X concepts with the concepts used within the different European regulations around data (GDPR and the EU acts on data – DxA):
| European regulations concepts | Gaia-X concepts |
|---|---|
| data processor in GDPR | Data Provider |
| data subject in GDPR / user in DxA | Data Rights Holder |
| consent in GDPR / permission or authorization in DxA | Data Usage Agreement |
| recipient in GDPR / DxA | Data Consumer |
For complete mapping of Gaia-X concepts used in EU data regulations, refer Data Exchange Document.