TIRA: An OpenAPI Extension and Toolbox for GDPR Transparency in RESTful Architectures

TL;DR

This paper introduces TIRA, an OpenAPI extension and toolbox that enhances transparency in RESTful architectures by enabling detailed privacy information annotations and aggregation across services, aligning with GDPR principles.

Contribution

It presents a novel OpenAPI extension and tools for aggregating transparency information, improving GDPR compliance in RESTful service architectures.

Findings

Enables detailed privacy annotations in service descriptions

Supports aggregation of transparency info across multiple services

Integrates into CI/CD pipelines for automated transparency updates

Abstract

Transparency - the provision of information about what personal data is collected for which purposes, how long it is stored, or to which parties it is transferred - is one of the core privacy principles underlying regulations such as the GDPR. Technical approaches for implementing transparency in practice are, however, only rarely considered. In this paper, we present a novel approach for doing so in current, RESTful application architectures and in line with prevailing agile and DevOps-driven practices. For this purpose, we introduce 1) a transparency-focused extension of OpenAPI specifications that allows individual service descriptions to be enriched with transparency-related annotations in a bottom-up fashion and 2) a set of higher-order tools for aggregating respective information across multiple, interdependent services and for coherently integrating our approach into automated CI/CD-pipelines. Together, these building blocks pave the way for providing transparency information that is more specific and at the same time better reflects the actual implementation givens within complex service architectures than current, overly broad privacy statements.