16 V. Morel & R. Pardo
of the language, DS or DC; and v) whether it is intended to be used by lay-users. Table 3
summarizes our study.
5.1 Content
Here we describe the content that machine-readable privacy policies include. This content is
determined by the syntax of the privacy language. Many languages are defined using machine-
readable formats such as XML so that they can be automatically processed by machines. Other
languages, however, are based on mathematical definitions (e.g., logical languages), thus enabling
the possibility of reasoning about them — these languages can easily be expressed in machine-
readable formats due to the lack of ambiguity. Another important factor is the target audience
of a language, i.e., DC, DS or both. In what follows, we describe the content of machine-readable
languages (according to the items defined in Section 3), the format used to express the policies
and their target audience.
Access control languages such as XACML [9] and RBAC [94] have been among the first
languages used for the specification of machine-readable privacy policies. Typically, these policies
include the datatype to which they apply, and the set of entities with access privileges. Some
extensions such as GeoXACML [66] include conditions depending on geolocation information.
Usage control (UCON) [76, 81] extends access control with the notion of obligations, i.e., actions
to be executed after data has been received — e.g., “do not transfer data item i to Service
X” or “remove data on 25/05/2018”. These obligations make it possible to express items such
as retention time, purpose and allowed data transfers. The Obligation Specification Language
(OSL) [51] is a fully-fledged UCON language. OSL leverages Digital Right Management systems
(DRMs) [42] to enforce the obligations in UCON policies. Both access control and UCON are
used by DC to define their policies, and do not offer mechanisms for DS to express their policies.
Several languages focused on expressing privacy policies have been developed. One of the
first is the “Platform for Privacy Preferences” (P3P) [27]. P3P appeared as a policy language
for the web. P3P policies are specified in XML format, and include: purpose, retention time,
and conditions. Conditions may be opt-in and/or opt-out choices for DS, or preferences based
on enterprise data — e.g., DS’s credit or service usage. Many extensions to P3P have been
proposed [64, 11, 7] — for instance, E-P3P [11] extends P3P with obligations `a la UCON. After
P3P, new languages with similar syntax have been proposed: “Enterprise Policy Authorization
Language” (EPAL) [12], “An Accountability Policy Language” (A-PPL) [13], “Customer Profile
Exchange” (CPExchange) [18], “Privacy Rights Markup Language” (PRML) [115], “Purpose-to-
Use” (P2U) [56] and “Layered Privacy Language” (LPL) [45]. These languages are similar than
P3P in terms of content, but bring numerous enhancements in terms of usability and enforcement
(see Section 5.2).
Formal privacy languages (formal languages in the following) comprise a different approach
to express privacy policies. CI [73], PrivacyAPIs [67], SIMPL [65], PrivacyLFP [33], S4P [17],
QPDL [107], and PILOT [75] are languages that have their syntax and semantics defined math-
ematically. More precisely, they use formal languages such as Linear Temporal Logic [53], First-
Order Logic [53] or Authorization Logic [5]. However, not all of these formal languages have the
same focus. S4P, SIMPL and PILOT are focused on expressing DS and DC policies. Similarly
to the languages above, it is possible to express types of data, conditions, purpose, retention
time and allowed data transfers. Conditions are often more sophisticated than that of the pre-
vious languages as they are based on logical languages. On the other hand, CI, PrivacyAPIs
and PrivacyLFP focus on encoding privacy regulations such as HIPAA [104], COPPA [41] or
GLBA [105]. As a consequence, their expressive power is greater than languages focusing on
DS and DC policies. They include temporal operators that make it possible to express policies
Inria