Privacy-Aware Access Control

Background

Privacy is recognized as a fundamental human right by the Universal Declaration of Human Rights of the United Nations (1948), as well as the Charter of Fundamental Rights of the European Union (European Parliament, Council & Commission, 2000). It is protected by relevant legislation in all the democratic countries throughout the world (cf., e.g., Greenleaf, in press). A significant milestone in the privacy literature has been the codification of the fundamental privacy principles by the Organization for Economic Co-operation and Development (1980), as this codification lays out the basis for the protection of privacy. The OECD principles are reflected in the European Directive 95/46/EC (European Parliament and Council, 1995), “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The Directive 95/46/EC enforces a high standard of data protection and constitutes the most influential piece of privacy legislation worldwide (cf., e.g., Greenleaf, 2012), that seems to pull a general framework and has been characterized as an “engine of a global regime” (Birnhack, 2008), affecting many countries outside Europe in enacting similar laws. It is further particularized and complemented by subsequent Directives, as well as various Decisions, Recommendations, and Opinions of the Article 29 Data Protection Working Party, among others. Recently, a reform to the existing data protection framework has been proposed (European Commission, 2012); among the most significant features introduced, it will require companies to conduct privacy impact assessments, to implement “Privacy by Design” principles, and to ensure “Privacy by Default” in their applications, while individuals will have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.”