# Exploring Simulation Scenarios to Mitigate Information Asymmetry Under the LGPD Perspective - Open Banking Scenario

## Table of Contents

1. [Scenario Description: Open Banking](#Scene-0:-Open-Banking)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Scene 3: Defining the Data Subject's Rights](#Scene-3:-Defining-the-Data-Subject's-rights.)
5. [Scene 4: Data Subject's Consent Revocation](#Scene-4:-Data-Subject's-consent-revocation.)
6. [Performing explanation exercises regarding possible scenarios](#Performing-explanation-exercises-regarding-possible-scenarios)
    
    6.1 [Cause-Effect: Consent revocation not respected](#Cause-effect:-How-to-evidence-when-the-Data-Controller-did-not-respect-the-consent-revocation?)
    
    6.2 [Cause-Effect: Evidencing data leak](#Cause-effect:-How-to-get-evidences-that-the-Data-Controller-leaked-the-Data-Subject's-data?)
    
    6.3 [Cause-effect: Data breach, what to do?](#Cause-effect:-Data-breach,-what-to-do?)
    
    6.4 [Cause-Effect: Requesting data correction](#Cause-effect:-Requesting-data-correction)

    6.5 [Cause-Effect: Requesting data anonymization](#Cause-effect:-Requesting-anonymization)
    
    6.6 [Cause-effect: Data deletion](#Cause-effect:-Data-deletion)
    
    6.7 [Cause-effect: Technology unavailability](#Cause-effect:-Technology-unavailability)
    
    6.8 [Cause-effect: Inconsistent behavior](#Cause-effect:-Inconsistent-behavior)
    
    6.9 [Cause-effect: Data portability](#Cause-effect:-Data-portability)
    
    6.10 [Cause-effect: Plug a new consent term](#Cause-effect:-Plug-a-new-consent-term)

### Scenario Description: Open Banking

Open banking is a practice of enabling data sharing between financial institutions. This practice came to allow banking interoperability by APIs (Application Programming Interfaces). For example, the data subject can request a credit card from bank A, a financial loan from bank B, and buy assets from bank C. Moreover, open banking allows, for instance, the data subject to open an account just requesting his/her data from an institution that he/she has an account previously. Therefore, open banking turns the data sharing more agile, transparent, and secure, for providing resources to the data subject chose: (i) which the data which he/she wants to share; (ii) when; (iii) how long, and (iv) with whom he/she wants to share.

In this sense, open banking acts as a kind of data portability foreseen in the LGPD. However, there are strict rules set by the Central Bank to enable the data exchange between the financial institutions.
For instance, the consent term related to open banking must not be provided by paper or an adhesion contract, by forms with agree option filled by default; or without an explicit will of acceptance from the data subject.
<!--https://economia.uol.com.br/faq/open-banking-compartilhamento-dados.htm-->

A data subject that wants to participate in the open banking ecosystem, he/she has to agree with a consent term that allows the institution to share his/her data. Following the LGPD and the GDPR rules, the institution must offer to the data subject an option to revoke his/her consent anytime. Moreover, particularly in the LGPD, such consent term must be valid by 12 months at most, i.e., the institution must request a new consent term every year to confirm the data subject's wills.

There is an extensive list of: (i) personal data, (ii) enterprise data, and (iii) transactional data.

(i) Personal Data: Full Name, Document ID, Residential Address, Phone Number, E-mail Addresses, Social Name,  Parents' Names, Marriage Status, Born date, Gender, Nationality, Income, Patrimony, Occupation, Relationship Start Date, Products and Services Hired, Agency and Account Number, Legal Person in Charge Name and Id Number (if exists).
 
(ii) Enterprise Data: Company's Name, Identification Number, Address, Latitude and Longitude, Phone Number, E-mail Addresses, Owners' Names and their Identification Numbers, Administrators, Society Rates, Start Date, Activity Field, Income, Patrimony, Relationship Start Date, Products and Services Hired, Agency and Account Number.

(iii) Transactional Data: Account Balance, Credit Card Type and Identification, Limit, Transactions, Credit Card Bill, Credit Services (Ex: loan and investments)

To share the above data, the data subject must agree with the proposed consent term. The process of using the open finance service is free of charge.

Thus, picture that the data subject wants to share his/her data from Bank A to Bank B.
The process to share the financial data is composed of six steps as follows:
 1. The data subject should start the process showing Bank B his/her intention to get his/her data from Bank A.
 2. The data subject should verify the purpose of the data usage from Bank B and go to the next step if he/she has no objection to the informed purpose.
 3. The data subject should choose: (i) the origin institution, i.e., Bank A, to request the data, (ii) the data that he/she wants to share, and (iii) the time frame, that must be twelve months at most.
 4. Bank B will redirect the data subject to Bank A where the data subject will be able to confirm his/her identity as well as confirm his/her wishes to share the selected data.
 5. Bank A will redirect the data subject to Bank B. Bank B will notify the data subject if the authorization process is concluded.
 6. Finally, Bank B will be able to request the authorized data from Bank A.
 
It is important to note that the data subject can revoke his/her consent at any time. To do so, the data subject should access Bank A communication channels and request the consent revocation. The data sharing will be stopped in twelve months automatically. In this case, the data subject will be able to choose to renew his/her consent to continue sharing his/her data.

The consent revocation may imply stopping receiving services and product offers from Bank B.

In joint account cases, the authorization can be done individually. The transactional data will be available to anyone who can manage the Bank B account without the others.
If there is a requirement to request authorization from more than one account, both banks must provide information regarding how to do that.


The shared data will be used to offer products and services that fit with the data subject's profile or comply with other legal bases and legal obligations, such as laundry money, fraud, and risk evaluation, including credit risk. Moreover, the data will be used to create and improve the Bank B services, products, and processes.

In order to reproduce the scenario in the Open Banking environment, the first step is to build the consent term with all params foreseen in the LGPD.

The Data Subject John wants to share his data from Bank A to Bank B.
For the record, let's consider that there is an active consent term between John and Bank A.

From the LGPD perspective, the data will be shared for twelve months at most; therefore, from Wednesday, December 08, 2021, 10:41 a.m. to Thursday, December 08, 2022, 10:41 a.m. Bank B will be allowed to get John's data from Bank A.

Bank B will share only the data allowed by John, and will use them to comply with government laws and propose new products and services according to John's profile. Bank B will not share any information with third parties without contacting John. If Bank B updates its consent term, Bank B must inform John regarding this update and request a new approval.

Best practices based on the user experience with two financial institutions using Open Banking:
 - Bank A should allow John to select which data he wants to share with bank B.
 - Bank A should allow John to set the time range that he wants to share his data, considering a maximum of twelve months.

In this sense, John followed the six steps mentioned above, and he agreed to share his personal, financial, and transactional data with Bank B. 

Agents
 - Data Subject - John
 - Data Controller and processor - Bank A - Origin
 - Data Controller and processor - Bank B - Receiver

Action
 - Defined in the consent term.
 - Risk: the data subjects should evaluate what they consider as low, medium, or high risk. For instance, they may consider the following definitions to guide their decision:
   - Low: when there is no sensitive data requisition; 
   - Medium: there are no sensitive data foreseen in the LGPD, but there are data that may generate discrimination actions to the data subject; 
   - High: At least one sensitive data foreseen in the LGPD shared with the data controller.
 - Jurisdiction: Brazilian Law
 
Consent Term
 - As the scenario description has all the required information for a consent term, it will be considered as the consent term on this occasion.

Rights
 - The Data Subject will have all the LGPD foreseen rights. 
 - Bank A: The consent revocation regarding open banking:
     - should not impact the other rights;
     - it will imply stopping receiving products and services from Bank B, and the data will not be shared anymore;
     - there is no information in the open banking regarding if the data must be deleted from Bank B in this case.
 
Deontic Operator
 - The Data Subject has the permission to call for any action related to his rights
 - Data Controller B is obligated to abide by the Data Subject solicitations, except when the law says the opposite.
 Data Controller B is prohibited from using the personal data collected under the circumstances other than those in the consent term.
 - Violation and compliance will be explored in the extended scenarios at the end of this notebook.


However, Data Subject decided to revoke his consent with Bank B.
The following figure depicts this macro scenario process.

![Scenario2_Process](./img/Scenario2_Process.png "Process 2")
Fig.5 - Macro Scenario Process.

Moreover, other four cause-effect scenarios were explored in order to show some possibilities regarding the data subject's rights. 

The goal is to create a scenario with Prolog to explore the facts in the different time range and some cause-effect scenarios. This notebook tries to keep general facts that could occur in any domain. Specific domain facts were not explored.
 
*PS-1: The timestamp is used to provide the time spectrum. The following tool was used to convert human time to timestamp and the other way around. https://www.epochconverter.com/ - 360 days is equivalent to adding the value 31536000 in the timestamp*  

*PS-2: To help the usage of timestamp, we considered the following association.*
- *Wednesday, December 08, 2021 10:41:00 AM = 1638970860*
- *Thursday, December 08, 2022 10:41:00 AM = 1670506860*
<!-- - *Saturday, June 26, 2021 1:07:55 PM = 1624712875* -->

 
 ---------

### Scene 1: Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.

**General information (Data Subject, Data Controller, Personal and Sensitive Data)**

The **Data Subject John** allows the **Data Controller Bank B** to access, store, and process his personal and transactional data from Bank A in order to **offer products and services**, **allowing Bank B to send offers appropriately based on John's data**. 

**Data Controller collection, processing, and storing guidelines**

John's personal and transactional data will be shared with Bank B under strict governance policies that guarantee that only the information required to execute their functions will be shared. The employees will respond to any unauthorized data access, leak, or other activities that may expose or cause any loss to the data subject. None information will be publicly available without a previous consent acceptance.

**Processing and storing time**

The personal and transactional data will be available, stored, and processed while the data subject has an active consent term with Bank A and Bank B. **A new consent term will be required in two situations:**
 - when there is an update on the consent term;
 - when the data subject changes the data that he wants to share or change the time range;
 - when the due date is accomplished.

**Consent expiration date**
Therefore, this **consent term is valid for twelve months at most considering the open banking rules**. The data subject may renew the consent or revoke it at any time.

**Security measures**
Bank B will apply **cryptographic algorithms** and **access policies** to avoid data breaches and unauthorized access. The personal and transactional data will be **stored in a private cloud** where Bank B has complete control of applied technologies. 

**Third-party data sharing**
The Data Controller Bank B is not allowed to **share** the Data Subject data, except for cases that the government requires such data.

**Contact information**
To make any request, please use the Data Controller communication channel by **email lgpd@bankb.br**.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.

In [1]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form 
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact
%   iv. Cryptography Algoritm
%    x. Access Policies
%   xi. Storage Platform


createConsentTerm(ID,DC,DS,PData,SData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                CA, AP, SP) :-

                assertz(id(ID)),
                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(sensitiveData(DS, SData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)),
                assertz(criptographyAlgoritm(CA)),
                assertz(accessPolicies(AP)),
                assertz(storagePlatform(SP)).



In [2]:
% This is a function call that defines a general consent term with the informed params

?- createConsentTerm(10,'Bank B','John','john@mail.com','personal_and_transactional','offer_products_and_services',
                'create_specific_offers',
                'data_analytics',
                31536000,
                'none',
                'e-mail',
                'lgpd@bankb.br',
                'SHA256',
                'Authorized employees can access the data only',
                'Bank B private cloud').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('John'),dataController('Bank B')).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1638970860)).

true.

 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form 
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

checkConsentTerm(id(ID),dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                Date) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid'))),
        assertz(log('Data Subject verified the consent term and it was ok','Explanation','Obligation',Date))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(id(10),dataController('Bank B'),
                        dataSubject('John'),
                        purpose('Bank B','offer_products_and_services'),
                        'create_specific_offers',
                        'data_analytics',
                        31536000,
                        'none',
                        'e-mail',
                        'lgpd@bankb.br',
                        1638970860).

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Request Format (Direct/Expresso or Proxy/Tacito)
%   iv. Personal Data
%    v. Sensitive Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                requestFormat(RF,DS,LPC),
                                personalData(DS,PData),
                                sensitiveData(DS,SData),
                                startDate(StartTS),
                                endDate(EndTS)) :-
    consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid')),
    

    
    assertz(origin(id(ID),dataSubject(DS),dataController(DC),requestFormat(RF,DS,LPC))),
    assertz(requestFormat(RF,DS,LPC)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term','Communication','Compliance',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information','Explanation','Permission',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information','Explanation','Permission',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information','Explanation','Permission',StartTS)).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),
                                dataSubject('John'),
                                dataController('Bank B'),
                                requestFormat('Direct','John','null'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transactional_data'),
                                startDate(1638970860),
                                endDate(EndDate)), EndDate is 1638970860+31536000.

EndDate = 1670506860 .

Now, the Data Controller can collect, store and process the Data Subject's data.

In [8]:
?- dcIsCollectingDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860)),
                        
dcIsProcessingDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860)),
                    
dcIsStoringDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860)).

true.

---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Access
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [9]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC),startDate(StartTS)) :-
    assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
    assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject can now have all foressen rights','Explanation',
            'Permission',StartTS)).



In [10]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject('John'),dataController('Bank B'),startDate(1638970860)).

true.

 ---------

### Scene 4: Data Subject's consent revocation.

As mentioned in the scenario's description, the Data Subject decides to revoke his consent.
The Data Subject considered that he does not want to receive offers from Bank B. 

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [11]:
% Description: This function creates a request by a legal person in charge on the Data Subject's behalf. 
% This function receives the params:
%   i. Legal Person in Charge
%  ii. Data Suject
% iii. Request

lpcRequest(legalPersonInCharge(LPC),dataSubject(DS),request).



In [12]:
% Description: This function revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Sensitive Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    sensitiveData(DS,SData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)                    
                    ) :-
    
    requestFormat('Direct',DS,'null'),                
    not(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail','Explanation','Prohibition',Date));
    
    retract(id(ID)),
    requestFormat('Direct',DS,'null'),   
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent','Communication','Permission',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information','Communication','Prohibition',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information','Communication','Prohibition',Date)),
    
    retract(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid'))),
    assertz(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Invalid'))),
    assertz(log('From now, consent is not valid to be used by the data controller','Explanation','Prohibition',Date)).

    



In [13]:
% Description: This function require the legal person in charge to revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Legal Person in Charge
%  iv. Data Controller
%   v. Personal Data
%  vi. Sensitive Data

setDSRevokeProxyConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    legalPersonInCharge(LPC),
                    personalData(DS,PData),
                    sensitiveData(DS,SData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)                    
                    ) :-
    
    not(requestFormat('Direct',DS,'null')),
    not(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail','Explanation','Prohibition',Date));
    
    not(requestFormat('Direct',DS,'null')),
    lpcRequest(legalPersonInCharge(LPC),dataSubject(DS),'Request consent revocation'),
    assertz(log('This is not a Direct consent, so a Legal Person in Charge must to request the consent revocation','Communication','Obligation',Date)),
    
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent','Communication','Permission',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information','Communication','Prohibition',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information','Communication','Prohibition',Date)),
    
    retract(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid'))),
    assertz(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Invalid'))),
    assertz(log('From now, consent is not valid to be used by the data controller','Explanation','Prohibition',Date)).

    



In [14]:
% This call store the Data Subject's motivation to request the consent revocation.
?- assertz(log('Data Subject considered he does not want to receive more offers from Bank B','Communication','Permission',1638970861)).

% This is a function call returns true if all Data Subject's request was successfully performed.
?- setDSRevokeConsent(id(10),
                        dataSubject('John'),
                        dataController('Bank B'),
                        personalData('John','john@mail.com'),
                        sensitiveData('John','transactional_data'),
                        now(1638970861),
                        startDate(1638970860),
                        endDate(EndDate)
                        ), 
                        EndDate is 1638970860+31536000.
    

true.
EndDate = 1670506860 .

Therefore, the consent revocation request impacts many LGPD relationships as depicted in Figure 6.

![RootScenarioImpact](./img/RootScenarioImpact.png "Root Scenario Impact")
Fig.6 - Consent Revocation Impact.

The red entities suffered impact directly, or indirectly, when the consent was revoked. First,  the data controller must stop collecting personal data immediately. Next, the data controller must update the sharing policies and access restriction to prevent unauthorized access or new data processing. Still, the consent status will change to "invalid", as the controller cannot use this consent anymore.

 ---------

### Performing explanation exercises regarding possible scenarios

Here, we are going to perform questions regarding access confirmation, rights compliance, and information about consent term. Those questions will exercise the data subject and controller understanding regarding possible scenarios during the relationship between these two actors.


Are the data controller Bank B using the data subject John's data? 

Expected: As the Data Subject requested to revoke his consent, the data controller is **prohibited** to still using the Data Subjects data.

In [15]:
?- dcIsProcessingDSData(id(10),dataController('Bank B'),dataSubject('John'),
    personalData('John',PData),sensitiveData('John',SData),startDate(1638970860),endDate(1670506860)).

false.

Why?

In [16]:
?- log(Event,'Communication',Type, 1638970861).

Event = Data Subject considered he does not want to receive more offers from Bank B, Type = Permission ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

What are the Data Subject rights right now?

Expected: As the Data Subject requested to revoke his consent, he is **prohibited** to create such request again, even though he has **permission** to request the other rights foreseen by the LGPD.

In [17]:
?- dsRight(RIGHT,dataSubject('John'),dataController('Bank B')).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [18]:
?- specificPurpose('Bank B','John','offer_products_and_services',SPECIFICPURPOSE).

SPECIFICPURPOSE = create_specific_offers .

In [19]:
?- timeLength('Bank B','John','offer_products_and_services', 'create_specific_offers',TimeRange).

TimeRange = 31536000 .

Who are collecting the Data Subject's personal data and what are the respective data?

In [20]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(SD),endDate(ED)).

false.

Why?

In [21]:
?- log(Event,'Communication',Type, 1638970861).

Event = Data Subject considered he does not want to receive more offers from Bank B, Type = Permission ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

Who are storing the Data Subject's personal data and what are the respective data?

Expected: Although the Data Subject requested to revoke his consent, he did not request for data deletion, so the Data Controller is **permitted** to store his dada.

In [22]:
?- dcIsStoringDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1638970860),endDate(1670506860)).

ID = 10, DC = Bank B, PData = john@mail.com, SData = transactional_data .

Show all events.

In [23]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1638970860 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1638970860 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject considered he does not want to receive more off

----

#### Cause-effect: How to evidence when the Data Controller did not respect the consent revocation?

Let's picture that the Data Controller did not respect the Data Subject's request and still collecting the Data Subject's data. In such plot, fines must be applied.

<div>
<img src="./img/Scenario2.1_Process.png" width="600"/>
</div>
Fig.7 - Consent Revocation Scenario Process.

In [24]:
% This command sets that the Data Controller is collecting the Data Subject's data.

dcIsCollectingDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860)).



So, now the data controller is collecting unauthorized data, it was **prohibited** since the data subject requested consent revocation. The following command will check the environment facts and it will insert this fact regarding the rights **violation** in the log.

In [25]:
% This command:
%   (i) verifies if the Data Controller is collecting the Data Subject's data;
%  (ii) verifies if there is no consent with a valid status
% (iii) verifies in the log if the Data Subject requested consent revocation;
%  (iv) if all previous verifications are true, insert in the log that the Data Controller did not respect 
%       the Data Subject's will.

?- dcIsCollectingDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860)),
                        
    not(consentTermStatus(id(10),dataController('Bank B'),dataSubject('John'),status('Valid'))),
    
    log('Data Subject requested to the Data Controller to revoke his/her consent','Communication','Permission',1638970861),
    
    assertz(log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Communication','Violation',1638970861)).

true.

In this sense, the program log should help the Data Subject to create evidence of his/her requests. The log will show that the consent was violated revoked and the Data Controller **violated** the data subject will.

In [26]:
?- log(Event,Type,DeonticConcept,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticConcept = Permission, Date = 1638970860 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticConcept = Obligation, Date = 1638970860 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticConcept = Compliance, Date = 1638970860 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1638970860 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1638970860 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1638970860 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticConcept = Permission, Date = 1638970860 ;
Event = Data Subject considered he does not want to receive more offers fro

Moreover, Figure 6 may also be used to mitigate if the consent revocation was properly attended. If there is no modification in the red entities, something is not in compliance with LGPD.

In [27]:
% Resetting scenario
?- retract(dcIsCollectingDSData(id(10),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1638970860),endDate(1670506860))),
                        
    retract((log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Communication','Violation',1638970861))).

true.

----
#### Cause-effect: Data breach, what to do? 

The Data Controller must inform to national authority and to the Data Subject when a data breach occurs that may cause risks or damage to the Data Subject.

Such communication has to be done as soon as possible and should inform:
- personal data category
- what data were leaked
- what were the technical and security measures used to protect data
- the risks related to the incident
- what the data controller will do to revert or mitigate the damage

Depending on the incident severity, the Data Controller will have to disclose such an event in high-impact communication media.

In this sense, lets picture that Data Controller suffered from a hacker attack and Data Subject's personal data were leaked on the social media and he is receiving few calls from different numbers. So, Data Controller is **obligated to** inform the incident to ANPD and inform the Data Subject that his phone number was leaked. 

Even as Data Subject has revoked his consent, he has to be informed regarding the data breach as his data still on the Data Controller's database.

![Scenario2_DataBreach](./img/Scenario2_DataBreach.png "Process 2.2")
Fig.8 - Data Breach Scenario Process.

Thus, let translate this scenario in Prolog facts.

First, once Bank B figure out that there is a data breach, the ANPD and the data subjects involved have to be informed about that.


In [28]:
log('Data Controller Bank B triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all e-mails were exposed','Communication','Obligation',1638970870).



Next, Bank B has to explain that they had adopted security actions to avoid data breach. 

In [29]:
log('Data Controller Bank B informed the security measures to do not let data breach occurs',
    'Communication','Obligation',1638970871).



Then, Bank B fixed the vulnerability and inform the data subjects as well.

In [30]:
log('Data Controller Bank B informed that the vulnerability was found 
    and there is no unauthorized access anymore','Communication','Compliance',1638970872).



Furthermore, Bank B inform to Data Subjects that there is a technical group available to help anyone that have had troubles caused by this incident.

In [31]:
log('Data Controller Bank B created a technical team to help any data subject 
    that have had issues with this incident','Communication','Obligation',1638970873).



As the log shows, this case can present many different ends depending on the damage caused to the data subjects involved. Here, as the data subject received just a few calls and there was low damage, he decided not to enter in dispute to get reparation compensations, even though the data controller has **violated** the Data Subject's privacy.

Moreover, the omission of any fact related to informing the Data Subjects about unauthorized access or neglect the system security, fines should be applied to the Data Controller.

Last but not least, if the Data Controller noticed a data breach, once informed, the Data Controller has to act immediately. **LGPD Art. 48**

In [32]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1638970860 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1638970860 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject considered he does not want to receive more off

Therefore, the data breach impacts many LGPD relationships as depicted in Figure 9.


![DataBreachImpact](./img/DataBreachImpact.png "Data Breach Impact")
Fig.9 - Data Breach Impact.

First, as mentioned before, a data breach event must be informed to all agents impacted. This message must contain the security methods and the storage technologies applied to avoid a data breach. However, this is an event that could trigger other impacts. For instance, after a data breach, the data subject could enter in a dispute resolution claiming discrimination, loss, and unauthorized uses of his/her data. 

Furthermore, the Data Subject might request changes in the consent term, impacting the sharing policies and access restriction. Also, the Data Subject might request consent revocation, data deletion, which affects data collecting, processing, and storing.

In [33]:
% Resetting scenario
?- retract(log('Data Controller Bank B triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all e-mails were exposed','Communication','Obligation',1638970870)).
    
?- retract(log('Data Controller Bank B informed the security measures to do not let data breach 
    occurs','Communication','Obligation',1638970871)).
                        
?- retract(log('Data Controller Bank B informed that the vulnerability was found 
    and there is no unauthorized access anymore','Communication','Compliance',1638970872)).
    
?- retract(log('Data Controller Bank B created a technical team to help any data subject 
    that have had issues with this incident','Communication','Obligation',1638970873)).

true.
true.
true.
true.

----
#### Cause-effect: How to get evidences that the Data Controller leaked the Data Subject's data? 

To create concrete evidence that a Data Controller leaked a Data Subject's data, first, it is important to verify who has such data. If there is just one Data Controller legally storing such data; hence, the chances of such Data Controller had leaked personal data is elevated.

Moreover, the data controller is **obligated** to inform if personal or sensitive data is stored in the database. The data subject can request such information for each data controller.

However, as Bank A has the same data as Bank B, the action of verifying who leaked the data is even more difficult and may turns the process below inconclusive.

![Scenario2.2_Process](./img/Scenario2.2_Process.png "Process 2.2")
Fig.10 - Data Leak Process.

In summary, it is important to the data subject to check the consent term in order to verify if there is any clause/ condition which permits the data controller to share data with others. If the data subject disagrees with such clause, he is **permitted** to revoke the consent term anytime.

In [34]:
% This command sets that Bank A, i.e., the origin instituion, has the same data as Bank B.

dcIsStoringDSData(id(20),dataController('Bank A'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)).



In [35]:
% This command verifies who is storing John's personal and health data.

?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)).

ID = 10, DataController = Bank B ;
ID = 20, DataController = Bank A .

Now, let's picture that the Data Controller Institution ABC has John's data.

In [36]:
dcIsStoringDSData(id(null),dataController('Institution ABC'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)).



In [37]:
% These commands:
%   (i) verifies if the Data Controller is storing the Data Subject's data;
%  (ii) verifies if there is any evidence that the Data Subject allowed the Data Controller to process his/her data;
% (iii) if all previous verifications are true, insert in the log that the Data Controller is not allowed 
%       to collect the Data Subject's data.

%(i)
?- dcIsStoringDSData(id(null),dataController('Institution ABC'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)).

%(ii)
?- dsAgreeWithConsentTerms(dataSubject('Institution ABC'),dataController('John'),startDate(1638970860),endDate(1670506860)).
   
%(ii)
?- consentTermStatus(id(10),dataController('Bank B'),dataSubject('John'),status('Valid')).

%(iii)
?- assertz(log('Data Subject did not agree with Institution ABC consent term, so the data was improperly collected, 
    fines should be applied','Explanation','Violation',1638970861)).

true.
false.
false.
true.

Therefore, the event log will show that there is not consent agreement between John and InstitutionABC. 

Hence, Institution ABC is **prohibited** to use such data, i.e., the data was improperly collected. 
Moreover, as Bank A and Bank B are the only Data Controller storing John's data, probably Bank A or Bank B **violated**, on purpose or not, the consent term and the data were leaked from Bank A or Bank B to Institution ABC.

Moreover, this scenario presents the same possible impacts depicted in Figure 9 of the previous plot.

In [38]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1638970860 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1638970860 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1638970860 ;
Event = Data Subject considered he does not want to receive more off

In [39]:
% Resetting scenario
?- retract(log('Data Subject did not agree with Institution ABC consent term, so the data was improperly collected, 
    fines should be applied','Explanation','Violation',1638970861)),
    
    retract(dcIsStoringDSData(id(null),dataController('Institution ABC'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860))).

true.

----
#### Cause-effect: Requesting data correction

Data correction is one of the Data Subject's right foreseen in LGPD in the moment that the consent term was accepted.
Even if the Data Subject revoke his/her consent, the data will not be deleted; a express data deletion request is required.

So, in order to check if the data corretion request was accomplished, the Data Subject should call another right - data access.

The data controller is **obligated** to abide by the data subjects' requests as correction as data access.
Also, the controller is **obligated** to inform all processors regarding the correction.


<div>
<img src="./img/Scenario2.3_Process.png" width="600"/>
</div>
Fig.11 - Data Correction Process.

First, the Data Subject should verify if the Data Controller is storing his/her data.

In [40]:
?- dcIsStoringDSData(id(ID),dataController('Bank B'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)).

ID = 10 .

If true, the Data Subject should have the right to data access and data correction.

In [41]:
?- dsRight(dataAccess,dataSubject('John'),dataController('Bank B')),
    dsRight(dataCorrection,dataSubject('John'),dataController('Bank B')).

true.

Then, the Data Subject is able to request and verify if the data was changed.

In [42]:
log('Data Subject requested to change his e-mail criptojohn@mail.com','Communication','Permission',1638970866).



And the Data Controller executed this correction.

In [43]:
% First, the Data Controller verifies if the Data Subject has the rights requiered to perform such action.
% Then, remove the incorrect data and insert the new data.


?-  dsRight(dataCorrection,dataSubject('John'),dataController('Bank B')),

    retract(dcIsStoringDSData(id(10),dataController('Bank B'),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860))),

    assertz(dcIsStoringDSData(id(10),dataController('Bank B'),dataSubject('John'),
                    personalData('John','criptojohn@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860))),
    
    assertz(log('Data Controller has to execute the Data Subject s requerst','Explanation','Obligation',1638970866)),
        
    assertz(log('Data Controller changed the data as requested by the Data Subject','Communication','Compliance',1638970867)),
    
    assertz(log('Data Controller notified all processors regarding the data corretion','Communication','Compliance',1638970867)).

true.

Hence, as the data controler attended the data subject's request, it still in **compliance** with the LGPD. The Data Subject can verify if the data was fixed.

In [44]:
% If the Data Subject has the right to access his/her data, then he/she is able to verify if his/her data was fixed.

?-  dsRight(dataAccess,dataSubject('John'),dataController('Bank B')),
    dcIsStoringDSData(id(10),dataController(DataController),dataSubject('John'),
                    personalData('John',Email),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860)),
    assertz(log('Data Subject confirmed that the data was fixed','Explanation','Permission',1638970868)).

DataController = Bank B, Email = criptojohn@mail.com .

In [45]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1638970866 {-1}.

Event = Data Subject requested to change his e-mail criptojohn@mail.com, Type = Communication, DeonticOperator = Permission, Date = 1638970866 ;
Event = Data Controller has to execute the Data Subject s requerst, Type = Explanation, DeonticOperator = Obligation, Date = 1638970866 ;
Event = Data Controller changed the data as requested by the Data Subject, Type = Communication, DeonticOperator = Compliance, Date = 1638970867 ;
Event = Data Controller notified all processors regarding the data corretion, Type = Communication, DeonticOperator = Compliance, Date = 1638970867 ;
Event = Data Subject confirmed that the data was fixed, Type = Explanation, DeonticOperator = Permission, Date = 1638970868 .

Therefore, the data correction impacts many LGPD relationships as depicted in Figure 12.

![DataCorrectionImpact](./img/DataCorrectionImpact.png "Data Correction Impact")
Fig.12 - Data Correction Impact.

The data correction impacts data processing and data storage, as the personal or sensitive data were changed. Therefore, Data Controllers and Processors should also verify if the copy requested by the Data Subject is the updated personal and sensitive data.

In [46]:
% Resetting scenario
?-  retract(log('Data Subject requested to change his e-mail criptojohn@mail.com','Communication','Permission',1638970866)),
    retract(log('Data Controller has to execute the Data Subject s requerst','Explanation','Obligation',1638970866)),
    retract(log('Data Controller changed the data as requested by the Data Subject','Communication','Compliance',1638970867)),
    retract(log('Data Subject confirmed that the data was fixed','Explanation','Permission',1638970868)),
    retract(log('Data Controller notified all processors regarding the data corretion','Communication','Compliance',1638970867)),
    retract(dcIsStoringDSData(id(10),dataController('Bank B'),dataSubject('John'),
                    personalData('John','criptojohn@mail.com'),sensitiveData('John','transactional_data'),
                    startDate(1638970860),endDate(1670506860))).
    %assertz(dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
    %                personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
    %                startDate(1622035260),endDate(1637846460))).

true.

----
#### Cause-effect: Requesting anonymization

Let's picture that the Data Subject requested the data anonymization right. Once the data is anonymized, the Data Controller will not have the resources to give any details about such data, including correction. Hence, after this request, the data controller is **not obligated** to comply with requests that should involve reidentification actions.

Also, the controller is **obligated** to inform all processors regarding the anonymization.

Here, questions regarding the anonymization algorithms could emerge, but this is not the focus of this work.
This work focus on the causes and consequences understanding of possible scenarios.

TAG \[Domain specificity]: 
In the open banking scenario, the data anonymization request may implies in stop receiving offers and products from Bank B.

In [47]:
?- checkConsentTerm(id(11),dataController('Bank B'),
                        dataSubject('John'),
                        purpose('Bank B','offer_products_and_services'),
                        'create_specific_offers',
                        'data_analytics',
                        31536000,
                        'none',
                        'e-mail',
                        'lgpd@bankb.br',
                        1639970860).                        

true.

In [48]:
?- setThatdsAgreeWithConsentTerms(id(11),
                                dataSubject('John'),
                                dataController('Bank B'),
                                requestFormat('Direct','John','null'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transactional_data'),
                                startDate(1639970860),
                                endDate(EndDate)), EndDate is 1639970860+31536000.

EndDate = 1671506860 .

In [49]:
?- setDSRights(dataSubject('John'),dataController('Bank B'),startDate(1639970860)).

true.

Once the data is anonymized, the Data Controller will not have the resources to give any details about such data, including correction. Hence, if the Data Subject submits this request, he will not be able to participate in this discipline. The data controller is **not obligated** to comply with requests that should involve deidentification actions.

Also, the controller is **obligated** to inform all processors regarding the anonymization.

Here, questions regarding the anonymization algorithms could emerge, but this is not the focus of this work.
This work focus on the causes and consequences understanding of possible scenarios.


<div>
<img src="./img/Scenario2.4_Process.png" width="600"/>
</div>
Fig.13 - Data Anonymization Process.

First, the Data Subject should show that the Data Controller has his data.

TAG \[Domain specificity]: 
- As the anonymization right turns not possible for Bank B to execute its purpose, i.e., create and send specific products and services based on the Data Subject data, Bank B should ask if the Data Subject would like to revoke his consent. However, one of the very first steps in this scenario description is the consent revocation action; hence, the data subject already revoked his consent. 

In [50]:
?- dcIsStoringDSData(id(11),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1639970860),endDate(1671506860)),
                    
    assertz(log('Data Subject requested to anonymize his data','Communication','Permission',1639970862)).

true.

Next, the Data Controller accomplish the Data Subject request.

In [51]:
?- retract(dcIsStoringDSData(id(11),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1639970860),endDate(1671506860))),

    assertz(dcIsStoringDSData(id(_),dataController('Bank B'),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'anonymized_transactional_data'),
                    startDate(1639970860),endDate(1671506860))),

    assertz(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1671506863)),
    assertz(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1671506863)),
    assertz(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1671506863)),
    assertz(log('Data Controller notified the Data Subject that the purpose will not be executed anymore','Delete-Anonymise','Compliance',1671506863)),    
    assertz(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Communication','Prohibition',1671506863)),
            
    assertz(log('Data Subject does not accept to share his information anymore','Communication','Prohibition',1671506863)),
    
    retract(dsRight(dataAccess,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataCopy,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataCorrection,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataAnonymization,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataPortability,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataDeletion,dataSubject('John'),dataController('Bank B'))),
    retract(dsRight(dataSharingInformation,dataSubject('John'),dataController('Bank B'))).

 ;
 .

Now, the Data Subject's sensitive data is not associated with any personal data that could identify that such data is from the Data Subject. Hence, the data controller is in **compliance** with LGPD.

In [52]:
?- dcIsStoringDSData(id(_),dataController('Bank B'),dataSubject(DataSubject),
                    personalData(_,_),sensitiveData(_,'anonymized_transactional_data'),
                    startDate(1639970860),endDate(1671506860)).

DataSubject = Variable(70) .

In [53]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1639970862 {-1}.

Event = Data Subject requested to anonymize his data, Type = Communication, DeonticOperator = Permission, Date = 1639970862 ;
Event = Data Controller has to execute the Data Subject s request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1671506863 ;
Event = Data Controller has to notify all processors regarding the anonymization request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1671506863 ;
Event = Data Controller anonymized the Data Subjects data, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1671506863 ;
Event = Data Controller notified the Data Subject that the purpose will not be executed anymore, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1671506863 ;
Event = Data Subject cannot request data: access, copy, correction,anonymization, portability, deletion, and details of data sharing, Type = Communication, DeonticOperator = Prohibition, Date = 1671506863 ;
Event = Data Subject does not accept to share his info

Furthermore, the remaining rights are: the right to ask if a Data Controller is processing his/her data, and the right to request consent revocation .

In [54]:
?- dsRight(RIGHT,dataSubject('John'),dataController('Bank B')).

RIGHT = processingConfirmation ;
RIGHT = requestConsentRevocation .

Therefore, the data anonymization impacts many LGPD relationships, as depicted in Figure 14.

![DataAnonymizationImpact](./img/DataAnonymizationImpact.png "Data Anonymization Impact")
Fig.14-  Data anonymization Impact.

Data anonymization impacts almost all Data Subjects Rights. The anonymization process may turn the personal data not identifiable anymore. Hence, the anonymized data is out of LGPD's scope. In this sense, requests related to data access, deletion, correction, portability, or copy, may not be answered by the Data Controller, as the Controller might not identify the Data Subject anymore.

Last but not least, there are other scenarios that could be explored as well.

TAG \[Domain specificity]: 
 -  For instance, if the data subject requested anonymization and not did not request consent revocation, the new data will not be anonymized.

In [55]:
% Resetting scenario
?-  assertz(dcIsStoringDSData(id(11),dataController('Bank B'),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transactional_data'),
                        startDate(1639970860),endDate(1671506860))),
    retract(dcIsStoringDSData(id(_),dataController('Bank B'),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'anonymized_transactional_data'),
                    startDate(1639970860),endDate(1671506860))),
    retract(log('Data Subject requested to anonymize his data','Communication','Permission',1639970862)),
    retract(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1671506863)),
    retract(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1671506863)),
    retract(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1671506863)),
    retract(log('Data Controller notified the Data Subject that the purpose will not be executed anymore','Delete-Anonymise','Compliance',1671506863)),
    retract(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Communication','Prohibition',1671506863)),
    retract(log('Data Subject does not accept to share his information anymore','Communication','Prohibition',1671506863)),
    assertz(dsRight(dataAccess,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataCopy,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataCorrection,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataAnonymization,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataPortability,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataDeletion,dataSubject('John'),dataController('Bank B'))),
    assertz(dsRight(dataSharingInformation,dataSubject('John'),dataController('Bank B'))),
    retract(consentTermStatus(id(11),dataController('Bank B'),dataSubject('John'),status('Valid'))),
    assertz(consentTermStatus(id(11),dataController('Bank B'),dataSubject('John'),status('Invalid'))).

true.

----
#### Cause-effect: Data deletion

As mentioned before, there is more than one definition for data deletion. In the case aforementioned, we anonymized the data, which can be considered as data deletion. Now, let's picture that the Data Subject John wants to destroy his data from the Bank's B database. 

This means that John will not be able to subscribe in any class from Bank B.

Moreover, the following purposes, also described in LGPD art. 16, legitimizes, i.e., **allow** the Data Controller to keep the personal data stored in the database:
 - I - compliance with a legal or regulatory obligation by the controller;
 - II - study by a research institution, ensuring, whenever possible, the anonymization of personal data;
 - III - transfer to a third party, provided that the data processing requirements set out in this Law is respected; or
 - IV - exclusive use of the controller, its access by a third party is prohibited, and anonymization is required as well.


<div>
<img src="./img/Scenario2_DataDeletion.png" width="600"/>
</div>
Fig.15 - Data Deletion Process.

As the Bank B purpose is not based on any aforementioned situations; hence, Bank B must accept the Data Subject request.

In [56]:
?- purpose('Bank B','John',Purpose).

Purpose = offer_products_and_services .

In order to specify the rule that defines if the Data Controller has the right to keep the Data Subject's data, we developed the following function.

In [57]:
% Description: This function verifies if the Data Controller purpose is elegible to hold the Data Subject's data.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

verifyIfDCCanHoldDSData(dataController(DC),dataSubject(DS)) :-
    purpose(DC,DS,legalObligation), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,research), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,transferToThirdParty), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,exclusiveDCUse), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    assertz(dcCanHoldData('','')).



So, let's run the above function to verify if a new fact is generated informing that the Data Controller can hold de Data Subject's data.

In [58]:
?- verifyIfDCCanHoldDSData(dataController('Bank B'),dataSubject('John')). 

true.

Then, let's verify if such a fact was generated.

In [59]:
?- dcCanHoldData(dataController('Bank B'),dataSubject('John')).

false.

The result is 'false' because the purpose is different from the purposes listed by LGPD that allows the Data Controller keeps the data.
In this sense, let's simulate the request for data deletion from the Data Subject John to the Data Controller Bank B.

In [60]:
log('Data Subject requested to delete his data','Communication','Permission',1639970864).



In [61]:
log('Data Controller received the data deletion request and will evaluate the solicitation','Communication','Compliance',1639970865).



The code below will check if the Data Controler can hold the Data Subject information. If yes, two new log activities will be recorded. On the other hand, the code will return false if the Data Controller cannot hold the information, and the two log activities will not be recorded.

In [62]:
?- dcCanHoldData(dataController('Bank B'),dataSubject('John')),
    
    assertz(log('Data Controller can hold the data because its purpose allows it.','Explanation','Permission',1639970866)),

    assertz(log('Data Controller decided to keep the data on the database.','Communication','Compliance',1639970867)).

false.

In [63]:
% Description: This function deletes the Data Subject's data if the Data Controller is allowed to do that.
% This function receives the params:
%    i. Data Subject
%   ii. Data Controller
%  iii. Date Time

requestToDeleteDSData(dataSubject(DS),dataController(DC),date(DT)) :- 
 not(dcCanHoldData(dataController(DC),dataSubject(DS))),
 assertz(log('Data Controller has to delete the data','Communication','Obligation',DT)).



In [64]:
?- requestToDeleteDSData(dataSubject('John'),dataController('Bank B'),date(1639970868)).

true.

Why 1: This method returned true because the Data Controller **cannot keep** the Data Subject's data, as presented bellow.

In [65]:
?-  dcCanHoldData(dataController('Bank B'),dataSubject('John')).

false.

Why 2: The Data Controller cannot keep personal data because it will be not used for any aforementioned situations.

In [66]:
?- purpose(DC,'John',Purpose).

DC = Bank B, Purpose = offer_products_and_services .

It means that the purpose presented by the Data Controller is **not valid** to permit that Bank B holds the Data Subject's data.

In [67]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1639970864 {-1}.

Event = Data Subject requested to delete his data, Type = Communication, DeonticOperator = Permission, Date = 1639970864 ;
Event = Data Controller received the data deletion request and will evaluate the solicitation, Type = Communication, DeonticOperator = Compliance, Date = 1639970865 ;
Event = Data Controller has to delete the data, Type = Communication, DeonticOperator = Obligation, Date = 1639970868 .

Therefore, as depicted in Figure 16, the request for data deletion may impacts differently depending on the purpose limitation. For example, the data storage may have to anonymize the data. Moreover, if the data was deleted or anonymized, the Data Controller cannot achieve requests related to data correction, portability, and copy anymore.

![DataDeletionImpact](./img/DataDeletionImpact.png "Data Deletion Impact")
Fig.16 - Data Deletion Impact.

In [68]:
% Resetting scenario
?-  retract(log('Data Subject requested to delete his data','Communication','Permission',1639970864)),
    retract(log('Data Controller received the data deletion request and will evaluate the solicitation',
        'Communication','Compliance',1639970865)),
    retract(log('Data Controller has to delete the data','Communication','Obligation',1639970868)).

true.

----
#### Cause-effect: Technology unavailability

Companies are vulnerable to technical fault, unavailability, or security breach. In this sense, Data Subjects might be impacted by technology throubles. In some cases, the technology unavailability may not impact Data Subjects, but only internal companies' processes.

In this scenario, we will simulate an event of technology unavailability, i.e., let's suppose that Bank B's cloud server, which has personal data storage, is offline. Internally, Bank B suffered a high impact of this unavailability; all systems that depend on this database are offline, i.e., the internal data governance is jeopardized/ compromised. Hence, employees and clients cannot access any internal system.

Figure 17 depicts the impact of system unavailability.

![DataUnavailabilityImpact](./img/DataUnavailabilityImpact.png "Data Unavilability Impact")
Fig.17 - Data Unavailability Impact.

Besides the governance, data unavailability may impacts directly the users' rights. For example, the Data Controller and Processor cannot delete or execute data corrections if the system is unavailable. Moreover, if a Data Controller requests for portability, anonymization, or portability, the Data Controller will not be able to attend to such requests as fast as expected; a considerable delay is expected, instead. Furthermore, fines can be applied depending on the delay, but they should be evaluated case-by-case.

Last but not least, in this scenario, depending on the moment of this data unavailability, the impact might be more, or less, severe. For instance, if a client wants to subscribe to a service that will improve the client's profit, he/she will probably be affected if the operation does not finalize. As a result, the client could lose the yield of such a day.

Conversely, if the unavailability occurs on the weekend, the clients may not be impacted.

----
#### Cause-effect: Inconsistent behavior

Forecast human behavior can be a big challenge; the strange behaviors can be originated from different aspects, such as by a bad interface, system instability or error, or by a malicious person. In this sense, let's picture a person who agrees and revokes consent repeatedly in short time-space.

TAG \[Domain specificity]: In the open banking scenario, this behavior might indicate that the client is confused regarding the process of sharing his/her information, or the client is trying to manipulate the data to get benefits.

In [69]:
?- createConsentTerm(12,'Bank B','John','john@mail.com','personal_and_transactional','offer_products_and_services',
                'create_specific_offers',
                'data_analytics',
                31536000,
                'none',
                'e-mail',
                'lgpd@bankb.br',
                'SHA256',
                'Authorized employees can access the data only',
                'Bank B private cloud'),
                
    assertz(dsRight(processingConfirmation,dataSubject('John'),dataController('Bank B'))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1639970870)),

    checkConsentTerm(id(12),dataController('Bank B'),
                        dataSubject('John'),
                        purpose('Bank B','offer_products_and_services'),
                        'create_specific_offers',
                        'data_analytics',
                        31536000,
                        'none',
                        'e-mail',
                        'lgpd@bankb.br',
                        1638970860),    
                        
    setThatdsAgreeWithConsentTerms(id(12),
                                dataSubject('John'),
                                dataController('Bank B'),
                                requestFormat('Direct','John','null'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transactional_data'),
                                startDate(1639970870),
                                endDate(EndDate)), EndDate is 1639970870+31536000.
                        
    setDSRights(dataSubject('John'),dataController('Bank B'),startDate(1639970870)).

EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 .

In [70]:
?- setDSRevokeConsent(id(12),
                        dataSubject('John'),
                        dataController('Bank B'),
                        personalData('John','john@mail.com'),
                        sensitiveData('John','transactional_data'),
                        now(1639970872),
                        startDate(1639970870),
                        endDate(EndDate)
                        ), 
                        EndDate is 1639970870+31536000.

EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 .

In [71]:
?- createConsentTerm(13,'Bank B','John','john@mail.com','personal_and_transactional','offer_products_and_services',
                'create_specific_offers',
                'data_analytics',
                31536000,
                'none',
                'e-mail',
                'lgpd@bankb.br',
                'SHA256',
                'Authorized employees can access the data only',
                'Bank B private cloud').

true.

In [72]:
?- assertz(dsRight(processingConfirmation,dataSubject('John'),dataController('Bank B'))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1639970872)).

true.

In [73]:
?- checkConsentTerm(id(13),dataController('Bank B'),
                        dataSubject('John'),
                        purpose('Bank B','offer_products_and_services'),
                        'create_specific_offers',
                        'data_analytics',
                        31536000,
                        'none',
                        'e-mail',
                        'lgpd@bankb.br',
                        1639970872).    

 ;
 ;
 ;
 ;
 ;
 ;
 ;
 ;
 ;
 .

In [74]:
?- setThatdsAgreeWithConsentTerms(id(13),
                                dataSubject('John'),
                                dataController('Bank B'),
                                requestFormat('Direct','John','null'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transactional_data'),
                                startDate(1639970872),
                                endDate(EndDate)), EndDate is 1639970870+31536000.

EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 ;
EndDate = 1671506870 .

In [75]:
?- setDSRights(dataSubject('John'),dataController('Bank B'),startDate(1639970872)).

true.

In [76]:
?- setDSRevokeConsent(id(13),
                        dataSubject('John'),
                        dataController('Bank B'),
                        personalData('John','john@mail.com'),
                        sensitiveData('John','transactional_data'),
                        now(1639970872),
                        startDate(1639970872),
                        endDate(EndDate)
                        ), 
                        EndDate is 1639970872+31536000.

EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 ;
EndDate = 1671506872 .

Figure 18 depicts the impacted entities.

![InconsistentBehaviorImpact](./img/InconsistentBehaviorImpact.png "Inconsistent Behaviour Impact")
Fig.18 - Inconsistent Behavior Impact.

This unusual behavior can be caught by analyzing the event log. Depending on the magnitude, this kind of event may cause damage to the system, as the Deny of Service attack. 

Moreover, in our scenario, as Bank B needs the client's data to offer products and services, the client might perform such inconsistent behavior to try getting advantages hiding specific data which may compromise his/her reputation. In this case, if Bank B identifies such behavior, the bank may request additional information before starting offering new products and services.

In [77]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1639970870 {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1639970870 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1639970870 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970870 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970870 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970870 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1639970870 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970870 ;
Event = Data Controller can store the Data Subject information, Type =

----
#### Cause-effect: Data portability


Data portability can be explored at least in two ways. First, as cellphone companies, data portability means migrating the Data Subject phone number to another company. The client information should be migrated from one company to another. Second, like streaming video companies, data portability may mean just the act of copying the data to another company. Both companies would have the same client data at the moment of data portability request. 

As the open banking scenario already acts as a kind of data portability request and exercises data sharing and consent revocation, such a cause-effect scenario will not be explored here.

----
#### Cause-effect: Plug a new consent term


Pluggable consent is a non-official proposal. However, this cause-effect scenario explores how this concept could be applied. It allows the Data Controller to create new consent terms related to a subset of actions that the Data Subject should know. The pluggable consent must have at most the same time rang to the original consent. Moreover, it also allows the Data Subject to revoke a specific plugged consent term and not the original; hence, it enables the Data Subject to keep sharing the data and use the services proposed by the Data Controller.

Let's consider that Maria wants to subscribe to a new service offered by Bank B. In this case, Maria has to agree with a pluggable consent sent by the bank. This consent term should clarify which service the bank is offering.

It is important to note that any missing (null) information will be replaced by the general consent term.

Figure 21 depicts the scenario of plugging a new consent term.

<div>
<img src="./img/PluggableConsentProcess.png" width="800"/>
</div>
Fig.21 - Pluggable Consent Process.

First let's create a new consent term.

In [78]:
?- createConsentTerm(14,'Bank B','Maria','maria@mail.com','personal_and_transactional','offer_products_and_services',
                'create_specific_offers',
                'data_analytics',
                31536000,
                'none',
                'e-mail',
                'lgpd@bankb.br',
                'SHA256',
                'Authorized employees can access the data only',
                'Bank B private cloud').

true.

In [79]:
?- assertz(dsRight(processingConfirmation,dataSubject('Maria'),dataController('Bank B'))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1639970970)).

true.

In [80]:
?- checkConsentTerm(id(14),dataController('Bank B'),
                        dataSubject('Maria'),
                        purpose('Bank B','offer_products_and_services'),
                        'create_specific_offers',
                        'data_analytics',
                        31536000,
                        'none',
                        'e-mail',
                        'lgpd@bankb.br',
                        1639970970).    

true.

In [81]:
?- setThatdsAgreeWithConsentTerms(id(14),
                                dataSubject('Maria'),
                                dataController('Bank B'),
                                requestFormat('Direct','Maria','null'),
                                personalData('Maria','maria@mail.com'),
                                sensitiveData('Maria','transactional_data'),
                                startDate(1639970970),
                                endDate(EndDate)), EndDate is 1639970970+31536000.

EndDate = 1671506970 .

In [82]:
?- setDSRights(dataSubject('Maria'),dataController('Bank B'),startDate(1639970970)).

true.

Now, let's create the pluggable consent structure.

In [83]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form 
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact
%   iv. Cryptography Algoritm
%    x. Access Policies
%   xi. Storage Platform
%  Xii. Identification to Plug this term to another consent term


createPluggableConsentTerm(ID,DC,DS,PData,SData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                CA, AP, SP, CP) :-

                assertz(id(ID)),
                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(sensitiveData(DS, SData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)),
                assertz(criptographyAlgoritm(CA)),
                assertz(accessPolicies(AP)),
                assertz(storagePlatform(SP)),
                assertz(consentToPlug(CP)).



In [84]:
% Pluggable consent params

%    i. DC: Data Controller
%   ii. DS: Data Subject
%  iii. PData: Personal Data
%   iv. SData: Sensitive Data
%    v. Purpose: Purpose of data usage
%   vi. SpecificPurpose: Specific motivation to request data
%  vii. Form: Processing method
% viii. TimeLength: How long the data will be shared
%   ix. ThirdPartyPurpose: If the data will be shared with third parties, explain why
%    x. Channel: Communication channel in case of doubts or requests related to the data
%   xi. DCContact: Contact of a person who is responsible of processing the data
%  xii. CA: Criptography algoritms applied
% xiii. AP: Access policies
%  xiv. SP: Storage platform
%   xv. CP: Consent to plug

?- createPluggableConsentTerm(15,'Bank B stocks department','Maria','null','transactional_data','offer_products_and_services',
                'offer_stock_investiments',
                'data_analytics',
                15811200,
                'none',
                'e-mail',
                'stocks@bankb.br',
                'SHA256',
                'Only the stocks department can access the data',
                'Bank B private cloud',
                11).

true.

The pluggable consent term will be valid if the consent term with the university is valid only.

In [85]:
?- consentTermStatus(id(14),dataController('Bank B'),dataSubject('Maria'),status('Valid')),
  assertz(consentTermStatus(id(15),dataController('Bank B stocks department'),dataSubject('Maria'),status('Valid'))).

true.

The following function will check if there is valid consent. If so, the data subject will accept the plugged consent.

In [86]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Request Format (Direct/Expresso or Proxy/Tacito)
%   iv. Personal Data
%    v. Sensitive Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithPluggableConsentTerm(id(ID),dataSubject(DS),
                                dataController(DC),
                                requestFormat(RF,DS,LPC),
                                personalData(DS,PData),
                                sensitiveData(DS,SData),
                                startDate(StartTS),
                                endDate(EndTS),
                                consentRelationship(id(ID),id(CP))) :-
    consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid')),
    assertz(consentRelationship(id(ID),id(CP))),
    
    assertz(origin(id(ID),dataSubject(DS),dataController(DC),requestFormat(RF,DS,LPC))),
    assertz(requestFormat(RF,DS,LPC)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term','Communication','Compliance',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information','Explanation','Permission',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information','Explanation','Permission',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information','Explanation','Permission',StartTS)).



In [87]:
?- setThatdsAgreeWithPluggableConsentTerm(id(15),
                                dataSubject('Maria'),
                                dataController('Bank B stocks department'),
                                requestFormat('Direct','Maria','null'),
                                personalData('Maria','maria@mail.com'),
                                sensitiveData('Maria','transactional_data'),
                                startDate(1639970970),
                                endDate(EndDate),
                                consentRelationship(id(15),id(14))), EndDate is 1639970970+15811200.

EndDate = 1655782170 .

Now, the data subject can ask to the Bank B if the data controller mentioned at the plugged consent is processing his data.

In [88]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('Maria'),dataController('Bank B stocks department')).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1639970979)).

true.

In [89]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject('Maria'),dataController('Bank B stocks department'),startDate(1639970979)).

true.

Let's check who is processing Maria's data

In [90]:
?- dcIsCollectingDSData(id(ID),
dataController(DController),
dataSubject('Maria'),
personalData('Maria',PData),sensitiveData('Maria',SData),startDate(SDate),endDate(EDate)), ID>11.

ID = 14, DController = Bank B, PData = maria@mail.com, SData = transactional_data, SDate = 1639970970, EDate = Variable(170) ;
ID = 15, DController = Bank B stocks department, PData = maria@mail.com, SData = transactional_data, SDate = 1639970970, EDate = Variable(85) .

What will happen when the general consent is not valid anymore?

Here we can observe that there is a consent relationship between the consent 14 and 15.

In [91]:
?- consentRelationship(id(Pluggable),id(General)).

Pluggable = 15, General = 14 .

In [92]:
?- id(X).

X = 14 ;
X = 15 .

Now, let's revoke the general consent (id 14)

In [93]:
% This is a function call returns true if all Data Subject's request was successfully performed.
?- setDSRevokeConsent(id(14),
                        dataSubject('Maria'),
                        dataController('Bank B'),
                        personalData('Maria','maria@mail.com'),
                        sensitiveData('Maria','transactional_data'),
                        now(1639970980),
                        startDate(1639970970),
                        endDate(EndDate)
                        ), 
                        EndDate is 1639970970+31536000.

EndDate = 1671506970 .

As we can observe, the consent id 14 does not exist anymore, but there is a pluggable consent.

In [94]:
?- id(X).
?- consentRelationship(id(Pluggable),id(General)).

X = 15 .
Pluggable = 15, General = 14 .

Thus, the data controller should also revoke the pluggable consent. It means that the consent term status should be invalid after revocation.

In [95]:
?- setDSRevokeConsent(id(15),
                        dataSubject('Maria'),
                        dataController('Bank B stocks department'),
                        personalData('Maria','maria@mail.com'),
                        sensitiveData('Maria','transactional_data'),
                        now(1639970990),
                        startDate(1639970970),
                        endDate(EndDate)
                        ), 
                        EndDate is 1639970970+15811200.

EndDate = 1655782170 .

In [96]:
?- consentTermStatus(id(ID),dataController(DataController),dataSubject('Maria'),status(Status)).

ID = 14, DataController = Bank B, Status = Invalid ;
ID = 15, DataController = Bank B stocks department, Status = Invalid .

In [97]:
?- id(X).

false.

In this sense, the red entities are affected by the pluggable consent, as depicted in Figure 22.

As now there is a new data controller, the access restriction, sharing policies, and his identification might be different from the general consent. This new pluggable consent may also change the time range of this consent term.

This pluggable consent changes the access right; now, if the data subject asks this new data controller if the data controller is collecting and processing his data, he will have a positive message. 

Moreover, the purpose limitation will be different from the general consent term, and, like any other consent term, the data subject can request consent revocation anytime.

However, as depicted on Anonymization Scenario, the changes in the consent term may affect some data subjects' actions. For instance, if a student revokes a discipline consent term, this student might not be allowed to participate in the class activities.

![PluggableConsentImpact](./img/PluggableConsentImpact.png "Pluggable Consent Impact")
Fig.22 - Pluggable Consent Impact.

In [98]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1639970970 {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1639970970 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1639970970 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1639970970 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970970 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970970 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1639970970 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1639970970 ;
Event = Data Subject agrees with consent term, Type = Communication,