TRAPEZE - TRAnsparency, Privacy and security for European citiZEns

TRAPEZE seeks to reconstruct the concept of “control” in traditional data economies built on personal data processing. To that end, TRAPEZE will provide innovative solutions where such solutions are needed the most, enabling citizens to regain control of their security and privacy. TRAPEZE is a European Innovation Action with the ambitious goal of driving a cultural shift in the protection of the European data economy. It aims to achieve this by reconstructing the concepts of control, transparency and compliance through technical and methodological, citizen-first, innovations.
The project outcomes contribute to Digital Inclusion for a better EU society as well as empowering citizens in the European digital economy by equipping them with the necessary knowledge to understand and manage the security and privacy risks pertinent to such an economy

TRAPEZE’s proposed architecture and tools will be developed and evaluated under real-world conditions (TRL7) in three pilot scenarios in government, telecommunication and IT services, and banking. All three pilots involve the processing and aggregation of large amounts of personal data from various data sources, with policies specified at different levels of granularity.
The project targets European citizens as participants of contemporary data economies. Service providers throughout the public and private sectors. Data protection authorities. Government administrations processing authoritative data of their citizens. responsible data controller teams (CSIRTs) or authorities (DPAs), legislation institutions and regulators in charge of developing policies linked to data security aspects, research communities, technology companies, and privacy commissioners.
The uniqueness of the TRAPEZE project is supported by further practical applications of the policy language originating from the SPECIAL project. Sticky or Persisting Policies is a concept of glueing policy information to the payload data persistently has been further enhanced and secured by the application of blockchain. Persisting Policies expressed in OWL2.0 have been mapped to an intermediate strictly defined JSON format and then into the Hyperledger blockchain Smart Contracts entries. Following the above approach, the initial GDPR vocabulary has been mapped and integrated. Subsequently, it has been updated to include instances to be expanded and tailored according to a specific use case application scenario.
By combining distributed ledgers with Linked Data, the TRAPEZE platform makes sure the transaction logs are overlaid with semantics and linked to the relevant context and provenance information. This personal information is maintained in the so-called Personal Data Inventory (PDI), allowing for transparency and compliance across company borders. The TRAPEZE consortium will use PDI in the planned pilots to solve the challenge of representing and dynamically attaching policy and context data, which is not persisted in the same database as the legacy data.
All the concepts mentioned above and technical solutions require a clear and relatively simple interface to its beneficiaries. Without dedicated, innovative dashboards and interfaces, it becomes a dubious task to support EU citizens in understanding and managing how their personal data is processed. A dedicated work package is dedicated to this daunting task of developing innovative privacy interfaces allowing users to control security and privacy preferences. During the first period, dedicated UI/UX concepts were developed and assessed in usability studies. The TRAPEZE privacy dashboard also allows getting information pertaining to personal data flows but also helps citizens exercise their legal rights while managing the risks of personal data processing activities.
TRAPEZE aims to put the citizens in control through the knowledge provision to understand risks, the right tools to make informed choices, exercise their legal rights, or report security or privacy-related incidents. This is all made available through the citizen-centric help desk, e.g. citizens' central point of all security and privacy-related questions. From this WEB portal, citizens can access their privacy dashboard, add their personal risk assessment to relevant personal data, report any improper use of data, conduct breach monitoring, obtain knowledge via an open knowledge base and build up privacy and security awareness skills using the citizen's microlearning and gamification tools.
The project’s activity is disseminated continuously with all the latest information presented on the TRAPEZE web page and social media channels. The links and dependencies of TRAPEZE project tangible assets are defined and discussed within the consortium in a workshop called “TRAPEZE project tangible assets with a preliminary IPR clarification.” Additionally, the project partners are engaged in a continuous dialogue with the W3C Data Protection Vocabularies Community Group, contributing to the related standards and collaborating with similar projects

TRAPEZE’s ambition is to extend beyond state of the art in six major areas:
1) Policy Languages (PL), Legal Vocabularies, and Data Handling consider the two main aspects: (1) how to encode the policies in a machine-readable way to enable automated enforcement, real-time response to consent updates, and the explanation of enforcement decisions; (2) how to present the policies to data subjects in a "clear and intelligible" way, as required by the GDPR.
2) Transparency and compliance Will be improved by TRAPEZE by introducing dynamic consent and sticky policies in their full generality.
3) Protecting Citizens’ Data With Privacy-enhancing Tools for All: going beyond the existing privacy-enhancing solutions. Delivering a citizen-focused security and privacy dashboard that addresses the technical, legal, usability, and sociological requirements of a real-world data processing environment. To address this specific issue, specific algorithms will be developed to inspect the blockchain ledger and the accompanying Linked Data graph and show the most relevant data to the user.
4) Raising Citizen’s Awareness and Competence: Data subjects involved in traditional security awareness education in their work environment make use of posters, videos, short animations, newsletters or PowerPoint slides, but without tools or methodologies to monitor its effectiveness. TRAPEZE combines concepts taken from classical education, like reinforcement and testing, with modern learning techniques, like automation and gamification. Among those, gamification is a key, accounting for both reframing peoples’ attitudes and building new behavioral patterns, and creating strong emotional ties, contributing to motivation to learn.
5) Securing Citizen’s Data at Rest, in Use, and in Motion: Mobile applications included in the TRAPEZE platform, for devices equipped with Android or iOS operating systems, will be “protected by design”
6) Establishing End-to-End Trust with Linked Data and Blockchain: Lately, with the promise of putting the citizen back in control of their data, much emphasis in the data privacy world has been put on the importance of decentralized and distributed solutions. TRAPEZE, on the other hand, will seek to enable a steady transition to a more trusted data environment for all by delivering an innovative semantic Blockchain platform that acknowledges the world as-is.