A Solid use case to empower and protect data subjects: Responsibilities under GDPR for governance of personal data stores

• Published in: Computer law & security review Vol. 57; p. 106133
• Main Authors: Fierens, Michiel, Pandit, Harshvardhan J., Tamo-Larrieux, Aurelia, Garcia, Kimberly
• Format: Journal Article
• Language: English
• Published: Elsevier Ltd 01.07.2025
• Subjects: Decentralisation; Empowerment and data protection; GDPR compliance; Personal data stores; Solid; Decentralisation; GDPR compliance; Personal data stores; Solid; Empowerment and data protection
• ISSN: 2212-473X
• DOI: 10.1016/j.clsr.2025.106133

Decentralised data governance has emerged as an alternative model in response to the challenges of managing data and privacy in conventional centralised models. ‘Personal Data Stores’ (PDS) are at the forefront of this movement and provide forms of control over storage and management of data to the individual with the goal of empowering them. In this article, we argue how PDS, while being important technological innovations, are challenging to implement in the current regulatory landscape as the interpretation of responsibilities under the GDPR is woefully inadequate for decentralised systems. This represents a challenge to the decentralisation movement and makes it difficult to empower and protect individuals under the GDPR (data subjects) using PDS. A thorough understanding of the technological and legal situation and therefore an interdisciplinary approach is essential to make policymakers aware of any efforts that still need to be made to realise the decentralisation paradigm's goal. We therefore build upon research investigating GDPR compliance in decentralised data storage and management but do so through an interdisciplinary lens applied to an emerging application, Solid, that provides technical specifications for implementing it as the leading PDS implementation. By taking an interdisciplinary approach, we consider the interaction between the legal definitions from the GDPR and the implications of established case law with Solid's technical specifications and its possible implementations. We conclude with recommendations regarding the division of responsibilities for policymakers, authorities, market participants and technical developers to simultaneously protect and empower those involved in the use of PDS, particularly through Solid. Furthermore, the role of decentralised systems such as Solid is discussed, as well as the current unclear regulatory landscape surrounding it in the context of implementing the Data Governance Act (DGA). The implications for further AI development and within data spaces are also considered.