LPL, Towards a GDPR-Compliant Privacy Language: Formal Definition and Usage

  • Armin GerlEmail author
  • Nadia Bennani
  • Harald Kosch
  • Lionel Brunie
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10940)


The upcoming General Data Protection Regulation (GDPR) imposes several new legal requirements for privacy management in information systems. In this paper, we introduce LPL, an extensible Layered Privacy Language that allows to express and enforce these new privacy properties such as personal privacy, user consent, data provenance, and retention management. We present a formal description of LPL. Based on a set of usage examples, we present how LPL expresses and enforces the main features of the GDPR and application of state-of-the-art anonymization techniques.


Anonymization GDPR LPL Personal privacy Privacy language Privacy model Privacy-preservation Provenance 


  1. 1.
    Cranor, L.F., Arjula, M., Guduru, P.: Use of a P3P user agent by early adopters. In: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, pp. 1–10. ACM, New York (2002)Google Scholar
  2. 2.
    Iyilade, J., Vassileva, J.: P2U: a privacy policy specification language for secondary data sharing and usage. In: Proceedings of IEEE Security and Privacy Workshops, pp. 18–22, May 2014Google Scholar
  3. 3.
    Council of the European Union: General data protection regulation, April 2016. Regulation (EU) 2016 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ECGoogle Scholar
  4. 4.
    Tsormpatzoudi, P., Berendt, B., Coudert, F.: Privacy by design: from research and policy to practice – the challenge of multi-disciplinarity. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 199–212. Springer, Cham (2016). Scholar
  5. 5.
    von Lewinski, K., Pohl, D.: Kommunikation von Datenschutz - Recht und (gute) Praxis. Stiftung Datenschutz, June 2017Google Scholar
  6. 6.
    Chowdhury, O., et al.: Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 3–14. ACM, New York (2013)Google Scholar
  7. 7.
    Shmueli, E., Tassa, T.: Privacy by diversity in sequential releases of databases. Inf. Sci. 298, 344–372 (2015)CrossRefGoogle Scholar
  8. 8.
    Sweeney, L.: k-anonymity: a model for protecting privacy. Int. J. Uncertaint. Fuzziness Knowl. Based Syst. 10(05), 557–570 (2002)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data 1(1) (2007). Article no. 3
  10. 10.
    Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: Proceedings IEEE 23rd International Conference on Data Engineering, pp. 106–115, April 2007Google Scholar
  11. 11.
    Bertino, E., Lin, D., Jiang, W.: A survey of quantification of privacy preserving data mining algorithms. In: Aggarwal, C.C., Yu, P.S. (eds.) Privacy-Preserving Data Mining. Advances in Database Systems, vol. 34, pp. 183–205. Springer, Boston (2008). Scholar
  12. 12.
    Fabian, B., Göthling, T.: Privacy-preserving data warehousing. Int. J. Bus. Intell. Data Min. 10(4), 297–336 (2015)CrossRefGoogle Scholar
  13. 13.
    Xiao, X., Tao, Y.: Personalized privacy preservation. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data, SIGMOD 2006, pp. 229–240. ACM, New York (2006)Google Scholar
  14. 14.
    Kumaraguru, P., Cranor, L., Lobo, J., Calo, S.: A survey of privacy policy languages. In: Workshop on Usable IT Security Management (USM 2007) at Symposium On Usable Privacy and Security 2007 (2007)Google Scholar
  15. 15.
    Kasem-Madani, S., Meier, M.: Security and privacy policy languages: a survey, categorization and gap identification. CoRR, abs/1512.00201 (2015)Google Scholar
  16. 16.
    Hada, S., Kudo, M.: XML access control language: provisional authorization for XML documents, October 2000Google Scholar
  17. 17.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lupu, E.C., Lobo, J. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001). Scholar
  18. 18.
    Kagal, L.: Rei: a policy language for the me-centric project. Technical report, HP Labs (2002)Google Scholar
  19. 19.
    Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. SIGPLAN Not. 40(6), 305–314 (2005)CrossRefGoogle Scholar
  20. 20.
    Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: design and semantics of a decentralized authorization language. J. Comput. Secur. 18(4), 619–665 (2010)CrossRefGoogle Scholar
  21. 21.
    Khandelwal, A., Bao, J., Kagal, L., Jacobi, I., Ding, L., Hendler, J.: Analyzing the AIR language: a semantic web (production) rule language. In: Hitzler, P., Lukasiewicz, T. (eds.) RR 2010. LNCS, vol. 6333, pp. 58–72. Springer, Heidelberg (2010). Scholar
  22. 22.
    Lockhart, H., Rissanen, E., Parducci, B.: eXtensible access control markup language (XACML) version 3.0. Technical report, OASIS (2013)Google Scholar
  23. 23.
    Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. Electron. Notes Theoret. Comput. Sci. 197(1), 45–58 (2008)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Lamanna, D.D., Skene, J., Emmerich, W.: Slang: a language for defining service level agreements. In: Proceedings of the Ninth IEEE Workshop on Future Trends of Distributed Computing Systems, FTDCS 2003, pp. 100–106, May 2003Google Scholar
  25. 25.
    Meland, P.H., Bernsmed, K., Jaatun, M.G., Castejón, H.N., Undheim, A.: Expressing cloud security requirements for SLAs in deontic contract languages for cloud brokers. Int. J. Cloud Comput. 3(1), 69–93 (2014). PMID: 58831CrossRefGoogle Scholar
  26. 26.
    Oberle, D., Barros, A., Kylau, U., Heinzl, S.: A unified description language for human to automated services. Inf. Syst. 38(1), 155–181 (2013)CrossRefGoogle Scholar
  27. 27.
    Cranor, L., et al.: The platform for privacy preferences 1.1 (P3P1.1) specification. Technical report, W3C (2006)Google Scholar
  28. 28.
    Bohrer, K., Holland, B.: Customer profile exchange (CPExchange) specification, Version 1.0, October 2000Google Scholar
  29. 29.
    Cranor, L., Langheinrich, M., Marchiori, M.: A P3P preference exchange language 1.0 (APPEL1.0). Technical report, W3C (2002)Google Scholar
  30. 30.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: XPref: a preference language for P3P. Comput. Netw. 48(5), 809–827 (2005). Web SecurityCrossRefGoogle Scholar
  31. 31.
    Biskup, J., Brüggeman, H.H.: The personal model of data: towards a privacy-oriented information system. Comput. Secur. 7(6), 575–597 (1988)CrossRefGoogle Scholar
  32. 32.
    Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, pp. 103–109. ACM, New York (2002)Google Scholar
  33. 33.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL 1.2). Technical report, IBM (2003).
  34. 34.
    Ardagna, C., et al.: PrimeLife policy language. In: W3C Workshop on Access Control Application Scenarios. W3C (2009)Google Scholar
  35. 35.
    Yang, J., Yessenov, K., Solar-Lezama, A.: A language for automatically enforcing privacy policies. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 85–96. ACM, New York (2012)Google Scholar
  36. 36.
    Schulzrinne, H., Tschofenig, H., Cuellar, J.R., Polk, J., Morris, J.B., Thomson, M.: Geolocation policy: a document format for expressing privacy preferences for location information. RFC 6772, January 2013Google Scholar
  37. 37.
    He, X., Machanavajjhala, A., Ding, B.: Blowfish privacy: tuning privacy-utility trade-offs using policies. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, SIGMOD 2014, pp. 1447–1458. ACM, New York (2014)Google Scholar
  38. 38.
    Turner, K.J., Reiff-Marganiec, S., Blair, L., Campbell, G.A., Wang, F.: APPEL: an adaptable and programmable policy environment and language. Technical report, Computing Science and Mathematics, University of Stirling, April 2014Google Scholar
  39. 39.
    Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., De Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP-2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015). Scholar
  40. 40.
    Prasser, F., Kohlmayer, F., Kuhn, K.A.: A benchmark of globally-optimal anonymization methods for biomedical data. In: 2014 IEEE 27th International Symposium on Computer-Based Medical Systems, pp. 66–71, May 2014Google Scholar
  41. 41.
    Fung, B.C.M., Wang, K., Chen, R., Yu, P.S.: Privacy-preserving data publishing: a survey of recent developments. ACM Comput. Surv. 42(4), 14:1–14:53 (2010)CrossRefGoogle Scholar
  42. 42.
    Yu, T., Li, N., Antón, A.I., A formal semantics for P3P. In: Proceedings of the 2004 Workshop on Secure Web Service, SWS 2004, pp. 1–8. ACM, New York (2004)Google Scholar
  43. 43.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Armin Gerl
    • 1
    Email author
  • Nadia Bennani
    • 2
  • Harald Kosch
    • 1
  • Lionel Brunie
    • 2
  1. 1.DIMIS, University of PassauPassauGermany
  2. 2.LIRIS, University of LyonLyonFrance

Personalised recommendations