Privacy Policy Specification Framework for Addressing End-Users’ Privacy Requirements

  • Nazila Gol MohammadiEmail author
  • Jens Leicht
  • Nelufar Ulfat-Bunyadi
  • Maritta Heisel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11711)


Privacy policies are a widely used approach in informing end-users about the processing of their data and collecting consent to such processing. These policies are defined by the service providers and end-users do not have any control over them. According to the General Data Protection Regulation of the European Union, service providers should make the data processing of end-users’ data transparent in a comprehensible way. Furthermore, service providers are obliged to provide the end-users with control over their data. Currently, end-users have to comprehend a lengthy textual policy in order to understand how their data is processed. Improved representations of policies have been proposed before, however these improvements do mostly not empower the end-users in controlling their data. This paper provides a conceptual model and a proof of concept for the privacy policy specification framework that empowers end-users’ when using online services. Instead of having to accept predefined privacy policies, end-users can define their privacy preferences and adjust the applied privacy policy for a specific service.


Privacy Requirements engineering Privacy policies Sticky policy Cloud computing 



Research leading to these results received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 731678 (RestAssured). We gratefully acknowledge constructive discussions with partners in the RestAssured project.


  1. 1.
    ISO/IEC 29100:2011 - Information technology – Security techniques – Privacy framework (2011).
  2. 2.
    Agrafiotis, I., Creese, S., Goldsmith, M., Papanikolaou, N.: Applying formal methods to detect and resolve ambiguities in privacy requirements. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 271–282. Springer, Heidelberg (2011). Scholar
  3. 3.
    Berthold, S.: Towards a formal language for privacy options. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 27–40. Springer, Heidelberg (2011). Scholar
  4. 4.
    Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119, pp. 1–88, May 2016.
  5. 5.
    Fatema, K., Chadwick, D.W., Lievens, S.: A multi-privacy policy enforcement system. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 297–310. Springer, Heidelberg (2011). Scholar
  6. 6.
    Gol Mohammadi, N., Pampus, J., Heisel, M.: Resolving the conflicting needs of service providers and end-users: a pattern for incorporating end-users privacy preferences into privacy policies (2019, accepted for publication)Google Scholar
  7. 7.
    Hansen, M.: Putting privacy pictograms into practice-a European perspective. Jahrestagung der Gesellschaft für Informatik e.V. (GI) 154, 1–703 (2009)Google Scholar
  8. 8.
    Hayes, P., Patel-Schneider, P.: RDF 1.1 semantics. W3C recommendation, World Wide Web Consortium, February 2014.
  9. 9.
    Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A nutrition label for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS, p. 4 (2009).
  10. 10.
    Kelley, P.G., Cesca, L., Bresee, J., Cranor, L.F.: Standardizing privacy notices: an online study of the nutrition label approach. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI, pp. 1573–1582 (2010).
  11. 11.
    Kolter, J.P.: User-centric Privacy: A Usable and Provider-independent Privacy Infrastructure, vol. 41. BoD-Books on Demand (2010)Google Scholar
  12. 12.
    Pearson, S., Casassa-Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. IEEE Comput. 44(9), 60–68 (2011). Scholar
  13. 13.
    Pollmann, M., Kipker, D.K.: Informierte Einwilligung in der Online-Welt. Datenschutz und Datensicherheit 40(6), 378–381 (2016). Scholar
  14. 14.
    Spyra, G., Buchanan, W.J., Ekonomou, E.: Sticky policies approach within cloud computing. Comput. Secur. 70, 366–375 (2017). Scholar
  15. 15.
    Tschantz, M.C., Wing, J.M.: Formal methods for privacy. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 1–15. Springer, Heidelberg (2009). Scholar
  16. 16.
    Zwingelberg, H., Hansen, M.: Privacy protection goals and their implications for eid systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IAICT, vol. 375, pp. 245–260. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Nazila Gol Mohammadi
    • 1
    Email author
  • Jens Leicht
    • 1
  • Nelufar Ulfat-Bunyadi
    • 1
  • Maritta Heisel
    • 1
  1. 1.paluno - The Ruhr Institute for Software TechnologyUniversity of Duisburg-EssenDuisburgGermany

Personalised recommendations