A Declarative Data Protection Approach: From Human-Readable Policies to Automatic Enforcement

  • Francesco Di CerboEmail author
  • Alessio Lunardelli
  • Ilaria Matteucci
  • Fabio Martinelli
  • Paolo Mori
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 372)


In recent years, almost any object we use in our lives is connected and able to generate, collect and share data and information. This leads to the need of having, on the one hand, legal regulations, such as the new General Data Protection Regulation, able to guarantee that privacy of humans is preserved within the sharing process, and on the other hand, automatic mechanisms to guarantee that such regulations, in addition to user privacy preferences, are applied. The goal of this work is to propose an approach to manage data protection policy, from their specification in a controlled natural language to their translation into an automatically enforceable policy language, UPOL, for access and usage control of personal information, aiming at transparent and accountable data usage. UPOL extends and combines previous research results, U-XACML and PPL, and it is part of a more general proposal to regulate multi-party data sharing operations. A use case is proposed, considering challenges brought by the new EU’s GDPR.


Personal data protection GDPR Privacy Security 



This work was partly supported by EC-funded projects Coco Cloud [grant no. 610853] and by C3ISP [grant no. 700294].


  1. 1.
    Ardagna, C.A., et al.: Primelife policy language. In: W3C Workshop on Access Control Application Scenarios. W3C (2009)Google Scholar
  2. 2.
    Caimi, C., Gambardella, C., Manea, M., Petrocchi, M., Stella, D.: Legal and technical perspectives in data sharing agreements definition. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 178–192. Springer, Cham (2016). Scholar
  3. 3.
    Carniani, E., D’Arenzo, D., Lazouski, A., Martinelli, F., Mori, P.: Usage control on cloud systems. Fut. Gener. Comput. Syst. 63, 37–55 (2016). Scholar
  4. 4.
    Coco Cloud Consortium: Coco Cloud website (2016).
  5. 5.
    Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: Desprez, F., Getov, V., Priol, T., Yahyapour, R. (eds.) Grids, P2P and Services Computing, pp. 133–146. Springer, Boston (2010). Scholar
  6. 6.
    Di Cerbo, F., Martinelli, F., Matteucci, I., Mori, P.: Towards a declarative approach to stateful and stateless usage control for data protection. In: Proceedings of the 14th International Conference on Web Information Systems and Technologies, WEBIST 2018, Seville, Spain, 18–20 September 2018, pp. 308–315 (2018).
  7. 7.
    Di Cerbo, F., Some, D.F., Gomez, L., Trabelsi, S.: PPL v2.0: uniform data access and usage control on cloud and mobile. In: Matteucci, I., Mori, P., Petrocchi, M. (eds.) 1st IEEE/ACM International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, TELERISE 2015, Florence, Italy, 18 May 2015, pp. 2–7. IEEE Computer Society (2015).
  8. 8.
    European Parliament and Council: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (2016). Accessed 27 Apr 2016.
  9. 9.
    Gambardella, C., Matteucci, I., Petrocchi, M.: Data sharing agreements: how to glue definition, analysis and mapping together. ERCIM News 106, 28–29 (2016). Scholar
  10. 10.
    Lazouski, A., Martinelli, F., Mori, P.: A prototype for enforcing usage control policies based on XACML. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 79–92. Springer, Heidelberg (2012). Scholar
  11. 11.
    Matteucci, I., Petrocchi, M., Sbodio, M.L.: Cnl4dsa: a controlled natural language for data sharing agreements. In: Proceedings of the 2010 ACM Symposium on Applied Computing SAC 2010, pp. 616–620. ACM, New York (2010).
  12. 12.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 (2010)Google Scholar
  13. 13.
    Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)CrossRefGoogle Scholar
  14. 14.
    Pearson, S., Casassa Mont, M.: Sticky policies: an approach for managing privacy across multiple parties. Computer 44(9), 60–68 (2011)CrossRefGoogle Scholar
  15. 15.
    Trabelsi, S., Njeh, A., Bussard, L., Neven, G.: PPl engine: a symmetric architecture for privacy policy handling. In: W3C Workshop on Privacy and Data Usage Control, vol. 4 (2010)Google Scholar
  16. 16.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Francesco Di Cerbo
    • 1
    Email author
  • Alessio Lunardelli
    • 2
  • Ilaria Matteucci
    • 2
  • Fabio Martinelli
    • 2
  • Paolo Mori
    • 2
  1. 1.SAP Security ResearchSophia AntipolisFrance
  2. 2.IIT-CNRPisaItaly

Personalised recommendations