Abstract:Modern software has been an integral part of everyday activities in many disciplines and application contexts. Introducing intelligent automation by leveraging artificial intelligence (AI) led to break-throughs in many fields. The effectiveness of AI can be attributed to several factors, among which is the increasing availability of data. Regulations such as the general data protection regulation (GDPR) in the European Union (EU) are introduced to ensure the protection of personal data. Software systems that collect, process, or share personal data are subject to compliance with such regulations. Developing compliant software depends heavily on addressing legal requirements stipulated in applicable regulations, a central activity in the requirements engineering (RE) phase of the software development process. RE is concerned with specifying and maintaining requirements of a system-to-be, including legal requirements. Legal agreements which describe the policies organizations implement for processing personal data can provide an additional source to regulations for eliciting legal requirements. In this chapter, we explore a variety of methods for analyzing legal requirements and exemplify them on GDPR. Specifically, we describe possible alternatives for creating machine-analyzable representations from regulations, survey the existing automated means for enabling compliance verification against regulations, and further reflect on the current challenges of legal requirements analysis.

What problem does this paper attempt to address?

### Problems the Paper Attempts to Solve This paper aims to explore how to analyze legal requirements, particularly how to extract these requirements from regulations and transform them into machine-analyzable representations to support compliance checks during the software development process. Specifically, the paper focuses on the following aspects: 1. **Representation of Legal Requirements**: How to transform legal texts from regulations into machine-analyzable forms so that automated technologies can process them. 2. **Compliance Checking**: How to use automated means to verify whether software systems comply with relevant regulatory requirements. 3. **Review of Existing Methods**: The paper reviews existing automated methods that can help developers ensure compliance during the software development process. 4. **Challenges and Future Directions**: The paper discusses the current challenges in legal requirements analysis and proposes future research directions. ### Background Modern software systems are increasingly complex and data-driven, especially with the application of artificial intelligence (AI). Software systems are widely used in various fields such as healthcare, transportation, manufacturing, and finance. With the proliferation of these systems, regulations (such as the European Union's General Data Protection Regulation (GDPR)) have been introduced to ensure the legality, ethics, and robustness of software development. Developing software systems that comply with regulations is a core issue in the field of requirements engineering (RE). Legal requirements analysis involves creating machine-analyzable representations of legal texts to develop automated analysis techniques. ### Research Object The paper takes GDPR as an example to explore various methods of legal requirements analysis in detail. GDPR is considered the benchmark for data protection and privacy standards. Since its enforcement in 2018, it has been widely studied, especially in terms of extracting requirements related to privacy and data processing. Any organization operating within the EU, regardless of its location, must comply with GDPR regulations or face hefty fines. Therefore, analyzing the legal requirements in GDPR is a necessary prerequisite for developing compliant software systems. ### Methods The paper introduces the following methods to analyze legal requirements: 1. **Natural Language Processing (NLP)**: Using NLP techniques to extract key information from regulatory texts and generate machine-analyzable representations. 2. **Template-Based Methods**: Structuring legal requirements into predefined templates, with each criterion consisting of preconditions and postconditions. 3. **Activity Diagrams**: Using activity diagrams to represent workflows that can be understood by legal experts. 4. **Formal Logic**: Using formal logic to represent legal requirements to ensure their precision and consistency. ### Structure The structure of the paper is as follows: - **Section 2**: From Regulations to Representations. Introduces how to extract legal norms from regulations and transform them into machine-analyzable forms. - **Section 3**: Automated Support. Discusses how to use NLP techniques and formal logic to achieve automated compliance checking. - **Section 4**: Challenges and Future Directions. Discusses the current challenges in legal requirements analysis and proposes future research directions. ### Terminology - **Legal Requirements**: Requirements derived from legislative documents. - **Compliance Checking**: Establishing the compliance of software, i.e., the relationship between system specifications and relevant legal norms. - **Violation**: From the perspective of requirements engineering, the situation when a system fails to meet legal requirements. ### Example The paper illustrates how to analyze and represent legal requirements through a specific example (Article 33 of GDPR regarding the notification of personal data breaches). For instance, Article 33 stipulates that in the event of a personal data breach, the controller must notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification exceeds 72 hours, the reasons for the delay must be provided. ### Summary Through comprehensive analysis and method review, the paper aims to provide tools and methods for requirements engineers to ensure that software systems comply with relevant regulations during the development process. This not only helps improve the legality and security of software systems but also reduces the legal risks that may arise from non-compliance.

Legal Requirements Analysis

Rethinking Legal Compliance Automation: Opportunities with Large Language Models

Identification of Regulatory Requirements Relevant to Business Processes: A Comparative Study on Generative AI, Embedding-based Ranking, Crowd and Expert-driven Methods

Assessing frameworks for eliciting privacy & security requirements from laws and regulations

Systematic mapping study on requirements engineering for regulatory compliance of software systems

Compliance Requirements in Large-Scale Software Development: An Industrial Case Study

Using Artificial Intelligence to Support Compliance with the General Data Protection Regulation

GDPR Compliance in the Context of Continuous Integration

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation

Regulatory Requirements Engineering in Large Enterprises: An Interview Study on the European Accessibility Act

Compliance Generation for Privacy Documents under GDPR: A Roadmap for Implementing Automation and Machine Learning

Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR

Automating the Extraction of Rights and Obligations for Regulatory Compliance

On Developing an Artifact-based Approach to Regulatory Requirements Engineering

Cybersecurity compliance analysis as a service: Requirements specification and application scenarios

A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs

An Analysis of European Data and AI Regulations for Automotive Organizations

Privacy, Security, Legal and Technology Acceptance Requirements for a GDPR Compliance Platform

Enhancing Legal Compliance and Regulation Analysis with Large Language Models