Towards a declarative approach to stateful and stateless usage control for data protection

Virtually any online website or service has a rising need for data protection mechanisms, especially for personal data, considering initiatives such as the new General Data Protection Regulation to operate on the EU economic space, or the Cybersecurity Law for the Chinese market. It seems therefore necessary to dispose of mechanisms that help both users, as well as legal experts and practitioners to automatically manage the processing of personal and sensitive data in a secure and compliant manner, to reduce the probability of human errors. To this aim, we show here our initial proposal for an automatically enforceable policy language, UPOL, for access and usage control of personal information, aiming at transparent and accountable data usage. UPOL extends and combines previous research results, U-XACML and PPL, and it is part of a more general proposal to regulate multi-party data sharing operations. A use case is proposed, considering challenges brought by the new EU's GDPR.