Matching Privacy Policies and Preferences: Access Control, Obligations, Authorisations, and Downstream Usage

This chapter describes how users’ privacy preferences and services’ privacy policies are matched in order to decide whether personal data can be shared with services. Matching has to take into account data handling, i.e. does services handle collected data in a suitable way according to user expectations, and access control, i.e. do the service that will be granted access to the data comply with user expectations. Whereas access control describes the conditions that have to be fulfilled before data is released, data handling describes how the data has to be treated after it is released. Data handling is specified as obligations that must be fulfilled by the service and authorisations that may be used by the service. An important aspect of authorisation, especially in light of the current trend towards composed web services (so-called mash-ups), is downstream usage, i.e., with whom and under which data handling restrictions data can be shared.