Skip to main content

Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data

Part of the Lecture Notes in Computer Science book series (LNCS,volume 2482)


Enterprises collect a large amount of personal data about their customers. Even though enterprises promise privacy to their customers using privacy statements or P3P, there is no methodology to enforce these promises throughout and across multiple enterprises. This article describes the Platform for Enterprise Privacy Practices (E-P3P), which defines technology for privacy-enabled management and exchange of customer data. Its comprehensive privacy-specific access control language expresses restrictions on the access to personal data, possibly shared between multiple enterprises. E-P3P separates the enterprise-specific deployment policy from the privacy policy that covers the complete life cycle of collected data. E-P3P introduces a viable separation of duty between the three “administrators” of a privacy system: The privacy officer designs and deploys privacy policies, the security officer designs access control policies, and the customers can give consent while selecting opt-in and opt-out choices.


  • Access Control
  • Privacy Policy
  • Personal Data
  • Data Subject
  • Access Control Policy

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/3-540-36467-6_6
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   74.99
Price excludes VAT (USA)
  • ISBN: 978-3-540-36467-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.00
Price excludes VAT (USA)


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. M. Abrams. Renewed understanding of access control policies. In 16th National Computer Security Conference, pages 87–96, 1993.

    Google Scholar 

  2. K. Beznosov: Information Enterprise Architectures: Problems and Perspectives. School of Computer Science, PhD Thesis, Florida International University, June 2000.

    Google Scholar 

  3. P. Bonatti, E. Damiani, S. De Capitani di Vimercati, and P. Samarati. An access control system for data archives. In 16th IFIP-TC11 International Conference on Information Security. Paris, France, June 2001.

    Google Scholar 

  4. K. Bohrer and B. Holland (eds.): The Customer Profile Exchange (CPexchange) Specification; Version 1.0, International Digital Enterprise Alliance, October 20, 2000 (from

  5. S. Fischer-Hübner: IT-Security and Privacy. Lecture Notes in Computer Science 1958, Springer-Verlag, 2001.

    MATH  Google Scholar 

  6. S. Hada and M. Kudo. XML Access Control Language: Provisional Authorization for XML Documents, Tokyo Research Laboratory, IBM Research, October 16, 2000 (from

  7. S. Jajodia, M. Kudo, and V S. Subrahmanian. Provisional authorization. In A. Ghosh, editor, E-commerce Security and Privacy, pages 133–159. Klu wer Academic Publishers, 2001. Also published in Workshop on Security and Privacy in E-Commerce (WSPEC), 2000.

    Google Scholar 

  8. G. Karjoth and M. Schunter. A Privacy Policy Model for Enterprises. In 15th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 2002.

    Google Scholar 

  9. M. Kudo and S. Hada. XML Document Security based on Provisional Authorizations. In 7th ACM Conference on Computer and Communications Security, pages 87–96, 2000.

    Google Scholar 

  10. C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the pale of MAC and DAC-defining new forms of access control. In IEEE Symposium on Security and Privacy, pages 190–200, 1990.

    Google Scholar 

  11. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation, 16 April 2002 (from

  12. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman: Role-based Access Control Models, IEEE Computer, 28/2 (1996) 38–47.

    Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Karjoth, G., Schunter, M., Waidner, M. (2003). Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data. In: Dingledine, R., Syverson, P. (eds) Privacy Enhancing Technologies. PET 2002. Lecture Notes in Computer Science, vol 2482. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00565-0

  • Online ISBN: 978-3-540-36467-2

  • eBook Packages: Springer Book Archive