Section: New Results
Participants : Julien Le Clainche, Daniel Le Métayer, Guillaume Piolle, Romuald Thion.
Legal perspective on the implementation of privacy policies
We have studied the legal issues raised by the implementation of privacy policies through “Privacy Agents”, dedicated software components acting as “surrogates” of the subjects and managing their personal data on their behalf. The subject can define his privacy requirements once and for all, with all information and assistance required, and then rely on his Privacy Agent to implement these requirements faithfully. This technical solution triggers a number of questions from the legal side: for example, to what extent should a consent delivered via a software agent be considered as legally valid? Are the current regulations flexible enough to accept such kind of delegation to an automated system? Can the Privacy Agent be “intelligent” enough to deal with all possible situations? Should subjects really rely on their Privacy Agent and what would be the consequences of any error (bug, misunderstanding...) in the process?
In order to shed some light on these legal issues, we have focused on three main aspects of consent : (1) its legal nature (unilateral versus contractual act), its essential features (qualities and defects) and its formal requirements. In a second stage, we have drawn the lessons learned from this legal analysis to put forward design choices ensuring that Privacy Agents can be used as valid means to deliver the consent of the data subject  . Several kinds of Privacy Agents have been proposed (Subject Agents, Controller Agents and Auditor Agents) and the roles of the different actors involved in the process have been defined precisely. Privacy policies themselves can be expressed in a restricted (pattern based) dedicated natural language. In order to avoid ambiguities in the expression of the policies, a mathematical semantics of the privacy language has been defined. This mathematical semantics characterizes precisely the expected behaviour of the Privacy Agents (based on the privacy policies defined by their users) in terms of compliant execution traces. In addition, all privacy related actions can be recorded into log files and used as evidence in case of legal dispute.
This work is an illustration of the privacy be design approach  . Beyond the specific application to privacy, we have studied in a systematic way the different modes of organization of regulations, the means to measure their practical results (relevance, effectiveness, efficiency, etc.) and the potential effects of the use of technologies on these results  . Current privacy regulations have been assessed with respect to these criteria as well as the Software Agent solution put forward here (which appears to implement three regulation modes: administrative controls, deontological rules and liability rules).
A logical framework for the expression of privacy policies
As mentioned above, privacy is quite a subtle notion and the definition of a formal framework for expressing privacy properties and reasoning about them is of prime importance. A major challenge to this respect is to find the appropriate way of integrating deontic and temporal operators. Deontic operators are required because privacy policies are typically expressed in terms of obligations and interdictions. Temporal operators are necessary because obligations and interdictions usually come with deadlines: for example, the controller must inform the data subject before forwarding his data to a third party or must delete the data within a given period of time. Our work on this topic is the follow-up of a thesis prepared in the LIG laboratory (Magma team), which has put forward a number of requirements for a suitable integration of deontic and logical operators to express privacy properties (e.g. propagation of obligations until the obligation is met or the deadline is reached, monotony with respect to deadlines, etc.) and has studied their implications in a new deontic logic for privacy (DLP). DLP includes past and future operators as well as an obligation operator and its semantics is defined over Kripke-like bi-dimensional structures. It has been shown, by translation into DLP, that existing proposals do not satisfy all the requirements and have proposed new ways of expressing obligations with deadlines which meet these requirements. This model has been used to express typical rules occuring in privacy regulations and to check that it conveys the intuitive meaning  .
Privacy policies for healthcare records