Abstract
The upcoming General Data Protection Regulation (GDPR) imposes several new legal requirements for privacy management in information systems. In this paper, we introduce LPL, an extensible Layered Privacy Language that allows to express and enforce these new privacy properties such as personal privacy, user consent, data provenance, and retention management. We present a formal description of LPL. Based on a set of usage examples, we present how LPL expresses and enforces the main features of the GDPR and application of state-of-the-art anonymization techniques.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cranor, L.F., Arjula, M., Guduru, P.: Use of a P3P user agent by early adopters. In: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, pp. 1ā10. ACM, New York (2002)
Iyilade, J., Vassileva, J.: P2U: a privacy policy specification language for secondary data sharing and usage. In: Proceedings of IEEE Security and Privacy Workshops, pp. 18ā22, May 2014
Council of the European Union: General data protection regulation, April 2016. Regulation (EU) 2016 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Tsormpatzoudi, P., Berendt, B., Coudert, F.: Privacy by design: from research and policy to practice ā the challenge of multi-disciplinarity. In: Berendt, B., Engel, T., Ikonomou, D., Le MĆ©tayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 199ā212. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31456-3_12
von Lewinski, K., Pohl, D.: Kommunikation von Datenschutz - Recht und (gute) Praxis. Stiftung Datenschutz, June 2017
Chowdhury, O., et al.: Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 3ā14. ACM, New York (2013)
Shmueli, E., Tassa, T.: Privacy by diversity in sequential releases of databases. Inf. Sci. 298, 344ā372 (2015)
Sweeney, L.: k-anonymity: a model for protecting privacy. Int. J. Uncertaint. Fuzziness Knowl. Based Syst. 10(05), 557ā570 (2002)
Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data 1(1) (2007). https://doi.org/10.1145/1217299.1217302. Article no. 3
Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: Proceedings IEEE 23rd International Conference on Data Engineering, pp. 106ā115, April 2007
Bertino, E., Lin, D., Jiang, W.: A survey of quantification of privacy preserving data mining algorithms. In: Aggarwal, C.C., Yu, P.S. (eds.) Privacy-Preserving Data Mining. Advances in Database Systems, vol. 34, pp. 183ā205. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-70992-5_8
Fabian, B., Gƶthling, T.: Privacy-preserving data warehousing. Int. J. Bus. Intell. Data Min. 10(4), 297ā336 (2015)
Xiao, X., Tao, Y.: Personalized privacy preservation. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data, SIGMOD 2006, pp. 229ā240. ACM, New York (2006)
Kumaraguru, P., Cranor, L., Lobo, J., Calo, S.: A survey of privacy policy languages. In: Workshop on Usable IT Security Management (USM 2007) at Symposium On Usable Privacy and Security 2007 (2007)
Kasem-Madani, S., Meier, M.: Security and privacy policy languages: a survey, categorization and gap identification. CoRR, abs/1512.00201 (2015)
Hada, S., Kudo, M.: XML access control language: provisional authorization for XML documents, October 2000
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E.C., Lobo, J. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18ā38. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44569-2_2
Kagal, L.: Rei: a policy language for the me-centric project. Technical report, HP Labs (2002)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. SIGPLAN Not. 40(6), 305ā314 (2005)
Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: design and semantics of a decentralized authorization language. J. Comput. Secur. 18(4), 619ā665 (2010)
Khandelwal, A., Bao, J., Kagal, L., Jacobi, I., Ding, L., Hendler, J.: Analyzing the AIR language: a semantic web (production) rule language. In: Hitzler, P., Lukasiewicz, T. (eds.) RR 2010. LNCS, vol. 6333, pp. 58ā72. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15918-3_6
Lockhart, H., Rissanen, E., Parducci, B.: eXtensible access control markup language (XACML) version 3.0. Technical report, OASIS (2013)
Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. Electron. Notes Theoret. Comput. Sci. 197(1), 45ā58 (2008)
Lamanna, D.D., Skene, J., Emmerich, W.: Slang: a language for defining service level agreements. In: Proceedings of the Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, FTDCS 2003, pp. 100ā106, May 2003
Meland, P.H., Bernsmed, K., Jaatun, M.G., CastejĆ³n, H.N., Undheim, A.: Expressing cloud security requirements for SLAs in deontic contract languages for cloud brokers. Int. J. Cloud Comput. 3(1), 69ā93 (2014). PMID: 58831
Oberle, D., Barros, A., Kylau, U., Heinzl, S.: A unified description language for human to automated services. Inf. Syst. 38(1), 155ā181 (2013)
Cranor, L., et al.: The platform for privacy preferences 1.1 (P3P1.1) specification. Technical report, W3C (2006)
Bohrer, K., Holland, B.: Customer profile exchange (CPExchange) specification, Version 1.0, October 2000
Cranor, L., Langheinrich, M., Marchiori, M.: A P3P preference exchange language 1.0 (APPEL1.0). Technical report, W3C (2002)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: XPref: a preference language for P3P. Comput. Netw. 48(5), 809ā827 (2005). Web Security
Biskup, J., BrĆ¼ggeman, H.H.: The personal model of data: towards a privacy-oriented information system. Comput. Secur. 7(6), 575ā597 (1988)
Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, pp. 103ā109. ACM, New York (2002)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL 1.2). Technical report, IBM (2003). https://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/
Ardagna, C., et al.: PrimeLife policy language. In: W3C Workshop on Access Control Application Scenarios. W3C (2009)
Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 85ā96. ACM, New York (2012)
Schulzrinne, H., Tschofenig, H., Cuellar, J.R., Polk, J., Morris, J.B., Thomson, M.: Geolocation policy: a document format for expressing privacy preferences for location information. RFC 6772, January 2013
He, X., Machanavajjhala, A., Ding, B.: Blowfish privacy: tuning privacy-utility trade-offs using policies. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, SIGMOD 2014, pp. 1447ā1458. ACM, New York (2014)
Turner, K.J., Reiff-Marganiec, S., Blair, L., Campbell, G.A., Wang, F.: APPEL: an adaptable and programmable policy environment and language. Technical report, Computing Science and Mathematics, University of Stirling, April 2014
Azraoui, M., Elkhiyaoui, K., Ćnen, M., Bernsmed, K., De Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP-2014. LNCS, vol. 8872, pp. 319ā326. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17016-9_21
Prasser, F., Kohlmayer, F., Kuhn, K.A.: A benchmark of globally-optimal anonymization methods for biomedical data. In: 2014 IEEE 27th International Symposium on Computer-Based Medical Systems, pp. 66ā71, May 2014
Fung, B.C.M., Wang, K., Chen, R., Yu, P.S.: Privacy-preserving data publishing: a survey of recent developments. ACM Comput. Surv. 42(4), 14:1ā14:53 (2010)
Yu, T., Li, N., AntĆ³n, A.I., A formal semantics for P3P. In: Proceedings of the 2004 Workshop on Secure Web Service, SWS 2004, pp. 1ā8. ACM, New York (2004)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38ā47 (1996)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2018 Springer-Verlag GmbH Germany, part of Springer Nature
About this chapter
Cite this chapter
Gerl, A., Bennani, N., Kosch, H., Brunie, L. (2018). LPL, Towards a GDPR-Compliant Privacy Language: Formal Definition andĀ Usage. In: Hameurlain, A., Wagner, R. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVII. Lecture Notes in Computer Science(), vol 10940. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-57932-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-57932-9_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-57931-2
Online ISBN: 978-3-662-57932-9
eBook Packages: Computer ScienceComputer Science (R0)