Extracting Access Control and Conflict Resolution Policies from European Data Protection Law

Kaniz Fatema, David Chadwick, Brendan Van Alsenoy

    Research output: Chapter in Book/Published conference outputConference publication


    This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2, 3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provision require additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.
    Original languageEnglish
    Title of host publicationIFIP Advances in Information and Communication Technology, Springer
    ISBN (Electronic)978-3-642-31668-5
    ISBN (Print)978-3-642-31667-8
    Publication statusPublished - 2011


    Dive into the research topics of 'Extracting Access Control and Conflict Resolution Policies from European Data Protection Law'. Together they form a unique fingerprint.

    Cite this