Abstract
Existing legal regulations, such as the GDPR in the European Union, exert significant pressure on businesses to embed legal principles into their information systems. These legislative provisions, expertly crafted in natural language, have raised technical challenges to be GDPR compliant. In particular, formal reasoning about compliance at the level of programming code is challenging. Available alternatives, such as manual auditing, have demonstrated limited scalability, and the absence of system-level support has led to substantial penalties for businesses and a loss of control over their personal data for users. Hence, we develop an approach that intends to reconcile the existing challenges in software implications with GDPR through programming language support. We build on earlier work introducing a privacy-aware active object language and operational semantics. To demonstrate the practicality, we here present a prototype implementation within the Maude formalism, which validates our semantics and model-checks GDPR compliance properties within any given configuration. Our work is limited to certain key concepts of the GDPR that can be interpreted at the programming level. We focus on processing rights based on user consent.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The full policy language includes additional aspects of the GDPR, such as location and retention time. For simplicity, in this paper, we only explore how to deal with entities, purposes, and actions.
- 2.
The Maude theories formalizing PALs operational semantics along with examples of PAL programs and property checking can be downloaded at https://github.com/Chinmayiprabhu/maudeInterpreter.git.
References
Agha, G.A.: ACTORS: A Model of Concurrent Computations in Distributed Systems. The MIT Press, Cambridge (1986)
Baramashetru, C., Tapia Tarifa, S.L., Owe, O.: Integrating data privacy compliance in active object languages. In: de Boer, F., Damiani, F., Hähnle, R., Broch Johnsen, E., Kamburjan, E. (eds.) Active Object Languages: Current Research Trends. LNCS, vol. 14360, pp. 263–288. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-51060-1_10, www.duo.uio.no/handle/10852/102661/
Baramashetru, C.P., Tapia Tarifa, S.L., Owe, O., Gruschka, N.: A policy language to capture compliance of data protection requirements. In: ter Beek, M.H., Monahan, R. (eds.) IFM 2022. LNCS, vol. 13274, pp. 289–309. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07727-2_16
Byun, J.-W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, pp. 102–110. ACM (2005)
Cavoukian, A., Chibba, M.: Advancing privacy and security in computing, networking and systems innovations through privacy by design. In: Proceedings of the 2009 Conference of the Centre for Advanced Studies on Collaborative Research, pp. 358–360. ACM (2009)
de Boer, F.S., Clarke, D., Johnsen, E.B.: A complete guide to the future. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 316–330. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71316-6_22
de Boer, F.S., et al.: A survey of active object languages. ACM Comput. Surv. 50(5), 76:1–76:39 (2017)
European Parliament and Council. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation) (2016). http://data.europa.eu/eli/reg/2016/679/oj/eng
Fischer-Hübner, S., Angulo, J., Karegar, F., Pulls, T.: Transparency, privacy and trust – technology for tracking and controlling my data disclosures: does this work? In: Habib, S.M.M., Vassileva, J., Mauw, S., Mühlhäuser, M. (eds.) IFIPTM 2016. IAICT, vol. 473, pp. 3–14. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41354-9_1
Gürses, S., Troncoso, C., Diaz, C.: Engineering privacy by design. Comput. Priv. Data Protect. 14(3), 25 (2011)
Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 302–313. Springer, Heidelberg (2005). https://doi.org/10.1007/11423409_19
Hjerppe, K., Ruohonen, J., Leppänen, V.: Annotation-based static analysis for personal data protection. In: Friedewald, M., Önen, M., Lievens, E., Krenn, S., Fricker, S. (eds.) Privacy and Identity 2019. IAICT, vol. 576, pp. 343–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42504-3_22
Karami, F., Basin, D.A. Johnsen, E.B.: DPL: a language for GDPR enforcement. In: 35th IEEE Computer Security Foundations Symposium, CSF 2022, pp. 112–129. IEEE (2022)
Kutyłowski, M., Lauks-Dutka, A., Yung, M.: GDPR – challenges for reconciling legal rules with technical reality. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 736–755. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_36
Masoumzadeh, A., Joshi, J.B.D.: PuRBAC: purpose-aware role-based access control. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1104–1121. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88873-4_12
Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theoret. Comput. Sci. 96, 73–155 (1992)
Meseguer, J.: Twenty years of rewriting logic. J. Log. Algebraic Methods Program. 81(7–8), 721–781 (2012)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9(4), 410–442 (2000)
Network, E., Agency, I.S.: Privacy and data protection by design: from policy to engineering. Publications Office (2014)
Ölveczky, P.C.: Designing Reliable Distributed Systems - A Formal Methods Approach Based on Executable Modeling in Maude. Springer, Heidelberg (2017). https://doi.org/10.1007/978-1-4471-6687-0
Piras, L., et al.: DEFeND architecture: a privacy by design platform for GDPR compliance. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 78–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_6
Politou, E., Alepis, E., Patsakis, C.: Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. J. Cybersecur. 4(1), tyy001 (2018)
Ranise, S., Siswantoro, H.: Automated legal compliance checking by security policy analysis. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 361–372. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_30
Schneider, G.: Is privacy by construction possible? In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11244, pp. 471–485. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03418-4_28
Sen, S., Guha, S., Datta, A., Rajamani, S.K., Tsai, J., Wing, J.M.: Bootstrapping privacy compliance in big data systems. In: 2014 IEEE Symposium on Security and Privacy, pp. 327–342. IEEE (2014)
Spiekermann, S.: The challenges of privacy by design. Commun. ACM 55(7), 38–40 (2012)
Sweeney, L.: k-anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10(5), 557–570 (2002)
Tokas, S., Owe, O.: A formal framework for consent management. In: Gotsman, A., Sokolova, A. (eds.) FORTE 2020. LNCS, vol. 12136, pp. 169–186. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50086-3_10
Tokas, S., Owe, O., Ramezanifarkhani, T.: Static checking of GDPR-related privacy compliance for object-oriented distributed systems. J. Log. Algebraic Methods Program. 125, 100733 (2022)
Truong, N.B., Sun, K., Lee, G.M., Guo, Y.: GDPR-compliant personal data management: a blockchain-based solution. IEEE Trans. Inf. Forensics Secur. 15, 1746–1761 (2020)
Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un) informed consent: Studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGAC Conference on Computer and Communications Security, pp. 973–990. ACM (2019)
van Lieshout, M., Kool, L., van Schoonhoven, B., de Jonge, M.: Privacy by design: an alternative to existing practice in safeguarding privacy. Info 13(6), 55–68 (2011)
Vargas, J.C.: Blockchain-based consent manager for GDPR compliance. Open Identity Summit 2019 (2019)
Yang, N., Barringer, H., Zhang, N.: A purpose-based access control model. In: Third International Symposium on Information Assurance and Security, pp. 143–148 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Baramashetru, C.P., Tapia Tarifa, S.L., Owe, O. (2024). Assuring GDPR Conformance Through Language-Based Compliance. In: Bieker, F., de Conca, S., Gruschka, N., Jensen, M., Schiering, I. (eds) Privacy and Identity Management. Sharing in a Digital World. Privacy and Identity 2023. IFIP Advances in Information and Communication Technology, vol 695. Springer, Cham. https://doi.org/10.1007/978-3-031-57978-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-57978-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57977-6
Online ISBN: 978-3-031-57978-3
eBook Packages: Computer ScienceComputer Science (R0)
