LPL, Towards a GDPR-Compliant Privacy Language: Formal Definition and Usage

The upcoming General Data Protection Regulation (GDPR) imposes several new legal requirements for privacy management in information systems. In this paper, we introduce LPL, an extensible Layered Privacy Language that allows to express and enforce these new privacy properties such as personal privacy, user consent, data provenance, and retention management. We present a formal description of LPL. Based on a set of usage examples, we present how LPL expresses and enforces the main features of the GDPR and application of state-of-the-art anonymization techniques.

[1]  Ninghui Li,et al.  A formal semantics for P3P , 2004, SWS '04.

[2]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[3]  Katsiaryna Naliuka,et al.  ConSpec - A Formal Language for Policy Specification , 2008, Electron. Notes Theor. Comput. Sci..

[4]  Satoshi Hada,et al.  XML Access Control Language : Provisional Authorization for XML Documents , 2000 .

[5]  Lorrie Faith Cranor,et al.  Use of a P3P user agent by early adopters , 2002, WPES '02.

[6]  Stephan Reiff-Marganiec,et al.  APPEL: An Adaptable and Programmable Policy Environment and Language , 2009 .

[7]  Bettina Berendt,et al.  Privacy by Design: From Research and Policy to Practice - the Challenge of Multi-disciplinarity , 2015, APF.

[8]  Jeffery von Ronne,et al.  Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule , 2013, SACMAT '13.

[9]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[10]  Joachim Biskup,et al.  The personal model of data: Towards a privacy-oriented information system , 1988, Comput. Secur..

[11]  Fabian Prasser,et al.  A Benchmark of Globally-Optimal Anonymization Methods for Biomedical Data , 2014, 2014 IEEE 27th International Symposium on Computer-Based Medical Systems.

[12]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[13]  P. Samarati,et al.  PrimeLife Policy Language , 2010 .

[14]  Philip S. Yu,et al.  Privacy-preserving data publishing: A survey of recent developments , 2010, CSUR.

[15]  Yufei Tao,et al.  Personalized privacy preservation , 2006, Privacy-Preserving Data Mining.

[16]  Tamir Tassa,et al.  Privacy by diversity in sequential releases of databases , 2015, Inf. Sci..

[17]  James A. Hendler,et al.  Analyzing the AIR Language: A Semantic Web (Production) Rule Language , 2010, RR.

[18]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[19]  Martin Gilje Jaatun,et al.  Expressing cloud security requirements for SLAs in deontic contract languages for cloud brokers , 2014, Int. J. Cloud Comput..

[20]  Wolfgang Emmerich,et al.  SLAng: a language for defining service level agreements , 2003, The Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, 2003. FTDCS 2003. Proceedings..

[21]  Ashwin Machanavajjhala,et al.  Blowfish privacy: tuning privacy-utility trade-offs using policies , 2013, SIGMOD Conference.

[22]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[23]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[24]  Michael Meier,et al.  Security and Privacy Policy Languages: A Survey, Categorization and Gap Identification , 2015, ArXiv.

[25]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[26]  Elisa Bertino,et al.  A Survey of Quantification of Privacy Preserving Data Mining Algorithms , 2008, Privacy-Preserving Data Mining.

[27]  Karin Bernsmed,et al.  A-PPL: An Accountability Policy Language , 2014, DPM/SETOP/QASA.

[28]  Daniel Oberle,et al.  A unified description language for human to automated services , 2013, Inf. Syst..

[29]  Julita Vassileva,et al.  P2U: A Privacy Policy Specification Language for Secondary Data Sharing and Usage , 2014, 2014 IEEE Security and Privacy Workshops.

[30]  Joachim Biskup,et al.  The personal model of data towards a privacy oriented information system , 1988, [1989] Proceedings. Fifth International Conference on Data Engineering.

[31]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[32]  Ramakrishnan Srikant,et al.  XPref: a preference language for P3P , 2005, Comput. Networks.

[33]  Benjamin Fabian,et al.  Privacy-preserving data warehousing , 2015, Int. J. Bus. Intell. Data Min..

[34]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[35]  Henning Schulzrinne,et al.  Internet Engineering Task Force (ietf) Geolocation Policy: a Document Format for Expressing Privacy Preferences for Location Information , 2022 .

[36]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[37]  Lalana Kagal Rei : A Policy Language for the Me-Centric Project , 2002 .