Privacy Policy Referencing

  • Audun Jøsang
  • Lothar Fritsch
  • Tobias Mahler
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6264)


Data protection legislation was originally defined for a context where personal information is mostly stored on centralized servers with limited connectivity and openness to 3rd party access. Currently, servers are connected to the Internet, where a large amount of personal information is continuously being exchanged as part of application transactions. This is very different from the original context of data protection regulation. Even though there are rather strict data protection laws in an increasing number of countries, it is in practice rather challenging to ensure an adequate protection for personal data that is communicated on-line. The enforcement of privacy legislation and policies therefore might require a technological basis, which is integrated with adequate amendments to the legal framework. This article describes a new approach called Privacy Policy Referencing, and outlines the technical and the complementary legal framework that needs to be established to support it.


Personal Information Privacy Policy Personal Data Data Protection Privacy Protection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antón, A.I., Earp, J.B., Reese, A.: Analyzing Website Privacy Requirements Using a Privacy Goal Taxonomy. In: IEEE Computer Society (ed.) Proceedings of the IEEE Joint International Requirements Engineering Conference 2002, September 9-13, pp. 605–612. IEEE Computer Society, Essen (2002)Google Scholar
  2. 2.
    Ardagna, C.A., Bussard, L., De Capitani di Vimercati, S., Neven, G., Pedrini, E., Paraboschi, S., Preiss, F., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife policy language (November 2009)Google Scholar
  3. 3.
    Bygrave, L.A.: Data Protection Law, Approaching its Rationale, Logic and Limits. Information Law Series, vol. 10, pp. 57–68. Kluwer Law International, Dordrecht (2002)Google Scholar
  4. 4.
    Carey, P.: Data protection: a practical guide to UK and EU law. Oxford University Press, Oxford (2004)Google Scholar
  5. 5.
    Mont, M.C., Pearson, S., Bramhall, P.: Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services. In: Proceedings of the 14th International Workshop on Database and Expert Systems Applications (DEXA’03), p. 377. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  6. 6.
    Cavoukian, A., Crompton, M.: Web Seals: A Review of Online Privacy Programs. In: A Joint Project of The Office of the Information and Privacy Commissioner/Ontario and The Office of the Federal Privacy Commissioner of Australia, Venice (September 2000),
  7. 7.
    European Comission. Directive 2002/58/EC of the European Parliament and of the council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Technical report (July 12, 2002)Google Scholar
  8. 8.
    Cranor, L., et al.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation (April 16, 2002),
  9. 9.
    Diaz, C.: Profiling Game (2005)Google Scholar
  10. 10.
    Diaz, C., Preneel, B.: Anonymous communication. In: Swedish Institute of Computer Science (ed.) WHOLES - A Multiple View of Individual Privacy in a Networked World, Stockholm, January 30 (2004)Google Scholar
  11. 11.
    Dutton, P.: Trust Issues in E-Commerce. In: Proceedings of the 6th Australasian Women in Computing Workshop, pp. 15–26. Griffith University, Brisbane (July 2000)Google Scholar
  12. 12.
    EC: Standard Contractual Clauses for the Transfer of Personal Data to Third Countries, Commission Decision 2004/915/EC of 27 December 2004. In: Official Journal L 385 of 29.12.2004. European Commission (2004)Google Scholar
  13. 13.
    European Council. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (November 23, 1995)Google Scholar
  14. 14.
    Fritsch, L.: Profiling and location-based services. In: Hildebrandt, M., Gutwirth, S. (eds.) Profiling the European Citizen - Cross-Disciplinary Perspectives, Dordrecht, April 2008, pp. 147–160 (2008)Google Scholar
  15. 15.
    Fritsch, L., Abie, H.: A Road Map to the Management of Privacy Risks in Information Systems. In: Gesellschaft f. Informatik (GI) (ed.) Konferenzband Sicherheit 2008. LNI, vol. 128, pp. 1–15. Gesellschaft für Informatik, Bonn (2008)Google Scholar
  16. 16.
    Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein. Datenschutz-Gütesiegel (2003)Google Scholar
  17. 17.
    ICC. Incoterms 2000: ICC Official Rules for the Interpretation of Trade Terms. ICC Publication No.560, 2000 Edition (2000)Google Scholar
  18. 18.
    Koch, C.: Taxonomie von Location Based Services - Ein interdisziplinärer Ansatz mit Boundary Objects. PhD thesis, Johann Wolfgang Goethe - Universitt, Frankfurt am Main (2006)Google Scholar
  19. 19.
    Mazhelis, O., Puuronen, S.: Combining One-Class Classifiers for Mobile-User Substitution Detection. In: Proceedings of 6th International Conference on Enterprise Information Systems (ICEIS’04), Porto, pp. 130–137 (2004)Google Scholar
  20. 20.
    Mithal, M.: Illustrating B2C Complaints in the Online Environment. Presentation by the US Federal Trade Commission and Industry Canada, at the Joint Conference of the OECD, HCOPIL, ICC: Building Trust in the Online Environment: Business to Consumer Dispute Resolution (The Hague) (December 2000)Google Scholar
  21. 21.
    OECD - Organisation for Economice Co-Operation and Development. Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (September 23, 1980)Google Scholar
  22. 22.
    The Treasury Board of Canada. Privacy Impact Assessment Guidelines Version 2.0 - A Framework to Manage Privacy Risks (August 31, 2002)Google Scholar
  23. 23.
    Pfitzmann, A., Köhntopp, M.: Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 1–9. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Reding, V.: Privacy: the challenges ahead for the European Union (Keynote speech at the Data Proteciton Day), SPEECH/10/16. European Parliament, Brussels (January 28, 2010),
  25. 25.
    Ross, J., Pinkas, D.: Pope. N. RFC 3125 - Electronic Signature Policies. IETF (September 2001),
  26. 26.
    Solove, D.: A taxonomy of privacy - GWU Law School Public Law Research Paper No.129. University of Pennsylvania Law Review 154(3), 477 (2006)CrossRefGoogle Scholar
  27. 27.
    Steinbrecher, S., Köpsell, S.: Modelling Unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Cooperation Group Audit Strategy. Privacy Audit Framework under the new Dutch Data Protection Act (WBP). Technical report, Den Haag (December 19, 2000)Google Scholar
  29. 29.
    The Economist. The Coming Backlash in Privacy. The Economist Technology Quarterly (December 9, 2000)Google Scholar
  30. 30.
    Vila, T., Greenstadt, R., Molnar, D.: Why we cant be bothered to read privacy policies: models of privacy economics as a lemons market. In: Proceedings of the 5th International Conference on Electronic Commerce (ICEC’03), pp. 403–407. ACM Press, Pittsburgh (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Audun Jøsang
    • 1
  • Lothar Fritsch
    • 2
  • Tobias Mahler
    • 3
    • 2
  1. 1.UNIK University Graduate Center - University of OsloNorway
  2. 2.Norwegian Computing CenterNorway
  3. 3.Norwegian Research Center for Computers and Law - University of OsloNorway

Personalised recommendations