Privacy Rule Definition Language - A Multistakeholder Approach to ENDORSE Privacy (original) (raw)

Towards data protection compliance

Security and Cryptography ( …, 2010

Privacy and data protection are fundamental issues nowadays for every organization. This paper calls for the development of methods, techniques and infrastructure to allow the deployment of privacy-aware IT systems, in which humans are integral part of the organizational processes and accountable for their possible misconduct. In particular, we discuss the challenges to be addressed in order to improve organizations privacy practices, as well as the approach to ensure compliance with legal requirements and increasing efficiency. * This work has been partially funded by the EU-IST-IP-216287 TAS 3 project.

The Layered Privacy Language Art 12 - 14 GDPR Extension - Privacy Enhancing User Interfaces

2019

On 25th May 2018, the EU-wide General Data Protection Regulation (GDPR) came into force in order to strengthen the rights of Data Subjects. Although the GDPR speciĄes the required information, which has to be presented to a Data Subject, it can still be argued for a lack of transparency due to unfavorable presentation of the privacy policy. Furthermore, no systematic approach for the enforcement of privacy policies in technical systems is deployed. These issues are tackled by the both humanand machine-readable Layered Privacy Language (LPL), which models legal privacy policies. This work introduces an extension for LPL to comply with Art. 12 14 GDPR. Additionally, user interface prototypes will be introduced to allow the creation of LPL privacy policies by the Data Protection Officer as well as a structured presentation of the LPL privacy policy for web-applications.

A three-layered model to implement data privacy policies

Computer Standards & Interfaces, 2008

An increasing number of business-to-business and business-to-customer services are accomplished by means of web technologies and mobile devices. As a consequence, sensitive data are continuously exposed to the risk of being delivered to final users or intermediary actors taking part to the data transactions, who could not have the proper access rights to obtain those data. These new generation of services are often characterized by high dynamism and untrustworthiness: existing technologies for managing and applying data privacy policies could be unsuccessful when dealing with this kind of contexts, as they could require too many resources, degrade the data quality to an unacceptable level, be too pervasive for data sources or data requestors. Moreover, industrial and research community is beginning to perceive the need to embed the mechanisms for preserving data privacy within the software product and process, as it comes to light from the recent literature. This paper proposes an approach to manage data privacy, inspired to the front-end trust filter paradigm, which aims at guaranteeing high flexibility, reducing the resources required, and limiting the pervasiveness into applications and devices involved into the data exchange. Our approach has the potential to curtail the change impact due to the dynamism and to foster the reuse of strategies, and their implementations, also across organizations.

Data Protection from Policy to Practice

2020

Currently, most services and operations are connected to the internet, and these raises concerns about the security of the client data. Each time the client requires a service, there is some information to be filled through the online platforms, and this can either be appropriately used or abused. Some countries have different data protection laws, while others lack them. For instance, according to the US, different data requires different protection guidelines. The guidelines determine the pieces of information that can be revealed to the general public and the one that can only be disclosed to a specific population for specific use. In the quest to meet these regulations, there is a need to come up with a legal code that elaborates on a comprehensive data protection policy. The current paper further conveys the importance of comprehensive codes in the issue of data protection in minimizing data theft and unauthorized access. Markedly, these rules and regulations are the basis of success in the Information Technology in the modern environment.

Data Privacy Vocabulary (DPV) - Version 2

2024

The Data Privacy Vocabulary (DPV), developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG), enables the creation of machine-readable, interoperable, and standardsbased representations for describing the processing of personal data. The group has also published extensions to the DPV to describe specific applications to support legislative requirements such as the EU's GDPR. The DPV fills a crucial niche in the state of the art by providing a vocabulary that can be embedded and used alongside other existing standards such as W3C ODRL, and which can be customised and extended for adapting to specifics of use-cases or domains. This article describes the version 2 iteration of the DPV in terms of its contents, methodology, current adoptions and uses, and future potential. It also describes the relevance and role of DPV in acting as a common vocabulary to support various regulatory (e.g. EU's DGA and AI Act) and community initiatives (e.g. Solid) emerging across the globe.

Privacy Policies, Tools and Mechanisms of the Future

iNetSec 2009 – Open Research Problems in Network Security, 2009

Although many believe that we have lost the battle for privacy, protection of what's left of the user's privacy is all the more important. Not only should a user be able to minimize the disclosure of her personal data, she should also have rights to decide what happens with her data once they have been disclosed. In order to minimize user interaction when deciding whether or not to reveal personal data, privacy policy languages were developed. However, these languages are inadequate and cannot properly deal with the complex interactions between users, service providers, third parties, identity providers and others. Also, tool support for composing and verifying these policies and mechanisms for enforcing them are lagging behind. This paper argues the need for better privacy policies and proposes some solutions. Throughout the paper, our statements are applied to three sample applications in three different domains: e-health, banking and social networks.

A semantics based approach to privacy languages

2006

A key reason for the slow adoption of the Platform for Privacy Preferences (P3P) is the lack of a formal semantics. Without a formal semantics, a P3P policy may be semantically inconsistent and may be interpreted and represented differently by different user agents. In this paper, we redress these problems by proposing a relational formal semantics for P3P policies, which precisely models the relationships between different components of P3P statements (i.e., collected data items, purposes, recipients and retentions) during online information collection. Based on this semantics, we present SemPref, a simple, efficient and expressive semantics-based preference language. Unlike previously proposed preference languages, SemPref queries the meaning of a privacy policy rather than its syntactic representation. The proposed formal semantics and preference language are an important step towards improving P3P, making it more comprehensible to enterprises and individual users, and ultimately accelerating the large-scale adoption of P3P across the Internet.

PRDLWorkflow - A Language-based Expert System for Data Privacy

Democratic societies and self-determined individuals claim for their right of data privacy. The European Commission and their associated regulations endorse this right. These regulations cause several implementation issues due to the fact that each member of the European Union has to implement its own nationalized version, which results in various, not comparable and incomplete realizations. As a consequence, internationally operating small and medium sized enterprises (SMEs) struggle to fulfil the compliance to these heterogeneous law regulations. One possibility of formally encode law compliant Enterprise Privacy Policies (EPPs) is the so-called Privacy Rule Definition Language (PRDL), an artificial language developed within the ENDORSE project, funded in the 7th Framework Programme of the European Commission. The aim of the work at hand is to tackle compliance issues by introducing a wizard-based expert system, which assists Data Controllers in writing their Enterprise Privacy Policies (EPPs). The bases for this wizard are workflow definitions, which are encoded into the system by the use of PRDLWorkflow, one of the three dialects of PRDL. These workflow definitions are interpreted by the system and then turned into browser-based wizards. It is envisioned that these wizards enable law experts to create, adopt and modify EPPs without the necessity of expert knowledge in the fields of software engineering and expert systems design. This newly created environment shall foster the correct adaption of regulations within enterprises, draw attention to regulation conflicts and guarantee uniformity throughout all subsidiaries.

RSLingo4Privacy Studio - A Tool to Improve the Specification and Analysis of Privacy Policies

Proceedings of the 19th International Conference on Enterprise Information Systems, 2017

Popular software applications collect and retain a lot of users' information, part of which is personal and sensitive. To assure that only the desired information is made public, these applications have to define and publish privacy policies that describe how they manage and disclose this information. Problems arise when privacy policies are misinterpreted, for instance because they contain ambiguous and inconsistent statements, what results in a defective application of the policy enforcement mechanisms. The RSLingo4Privacy approach aims to improve the specification and analysis of such policies. This paper presents and discusses its companion tool, the RSLingo4Privacy Studio, which materializes this approach by providing the technological support for users being able to specify, analyze and publish policies based on the RSL-IL4Privacy domain specific language. We validated its feasibility using popular websites policies such as Dropbox, Facebook, IMDB, LinkedIn, Twitter and Zynga. We conclude this paper with a discussion of the related work, namely a comparative analysis of pros and cons of RSLingo4Privacy Studio with other previous proposals.