Privacy as Permissible Operations: An ABAC Framework for Policy-Law Compliance

Ajay Dhakar; Arunesh Sinha; Shamik Sural

arxiv: 2604.10832 · v1 · submitted 2026-04-12 · 💻 cs.CR

Privacy as Permissible Operations: An ABAC Framework for Policy-Law Compliance

Ajay Dhakar , Arunesh Sinha , Shamik Sural This is my paper

Pith reviewed 2026-05-10 15:03 UTC · model grok-4.3

classification 💻 cs.CR

keywords ABACprivacy policylegal compliancedata protectionaccess controlpolicy verificationDigital Personal Data Protection Actbrowser plugin

0 comments

The pith

A privacy policy complies with the law when its implied access requests are permitted by ABAC rules that encode the law's requirements.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents APLiance as a way to verify that an organization's privacy policy respects the rules of a data protection law. Legal provisions are expressed as Attribute-Based Access Control rules, and each clause of the policy is rewritten as one or more implied access requests. The policy passes the check only if every such request would be allowed under the rules. This approach matters because new privacy statutes are appearing worldwide and manual review of lengthy policies is slow and error-prone. The authors apply the method to India's Digital Personal Data Protection Act and supply a browser plugin that performs the check automatically whenever a user views a website's privacy page.

Core claim

APLiance models the requirements of different sections of a privacy law in the form of ABAC rules and represents the clauses of a privacy policy as a sequence of implied access requests. A policy is considered compliant with the law if these access requests are permitted by the corresponding ABAC rules. The framework is demonstrated on the Digital Personal Data Protection Act of India, and a browser plugin has been released that performs real-time compliance checking on any privacy policy page.

What carries the argument

The APLiance ABAC framework, which encodes legal sections as access-control rules and policy clauses as access requests so that compliance reduces to a permission check.

If this is right

Enterprises obtain an automated procedure to confirm that their published privacy policies satisfy statutory obligations.
Real-time browser tools can surface compliance issues the moment a policy page is loaded.
The same rule-and-request structure applies to any other jurisdiction once the relevant legal sections are encoded as ABAC rules.
Auditors and regulators gain a repeatable, machine-checkable criterion instead of subjective textual comparison.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Natural-language processing could be tested to generate the access-request sequences from policy text, reducing the need for manual translation.
The same encoding might be used to compare two different policies or to track how a policy drifts after an update.
Regulators could publish official ABAC rule sets for their statutes, allowing any organization to run the check against a canonical version.
Integration into website builders could prevent non-compliant policies from being published in the first place.

Load-bearing premise

Clauses in a privacy policy can be accurately and unambiguously translated into a sequence of implied access requests without loss of legal meaning.

What would settle it

A privacy-policy clause whose translated access requests are all permitted by the ABAC rules yet the clause still violates the actual statutory text, or a clause that is legally valid yet produces at least one denied request.

Figures

Figures reproduced from arXiv: 2604.10832 by Ajay Dhakar, Arunesh Sinha, Shamik Sural.

read the original abstract

In recent years, many countries have started enacting laws to safeguard privacy of personal data of their citizens collected and maintained by various enterprises through websites, mobile apps, and other means. It is imperative that the privacy policies of these enterprises respect the provisions of the applicable law. In this paper, we show how such organizational privacy policies can be efficiently checked against a prevalent law. Our novel approach named APLiance (\underline{A}BAC framework for \underline{P}olicy-\underline{L}aw Compl\underline{iance}) models the requirements of the different sections of a privacy law in the form of Attribute-based Access Control (ABAC) rules and the clauses of a privacy policy as a sequence of implied access requests. A policy is considered to be compliant with the law if these access requests are permitted by the corresponding ABAC rules. Although APLiance can be used in any policy-law setting, we demonstrate its effectiveness in the context of the recently introduced Digital Personal Data Protection Act of India. A browser plugin has been developed and publicly released for real time compliance checking using APLiance whenever a user visits the privacy policy page of a website.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper frames privacy-law compliance as an ABAC check where policy clauses become access requests and law sections become rules, but the translation step is the unproven part.

read the letter

The main contribution here is APLiance, which encodes sections of a law such as India's DPDP Act as ABAC rules and treats the clauses in a privacy policy as a sequence of implied access requests. Compliance holds if every request is permitted by the rules. They also released a browser plugin that runs the check on any site a user visits. That artifact is the concrete piece worth noting, since most papers stop at the modeling idea without shipping runnable code. ABAC itself is established, so the novelty is mainly in the specific application to policy-law checking and the decision to make the tool public for real-time use. The plugin gives practitioners something they can try immediately, which is more useful than another abstract framework. The central risk is the mapping itself. Privacy policies and statutes contain conditional consents, purpose limits, retention rules, and third-party obligations that do not reduce cleanly to subject-object-action tuples. Any interpretive choice in turning natural-language text into discrete requests can produce a false compliant result or miss a real violation. The abstract supplies no worked examples of how a single DPDP section or policy clause is converted, so the soundness of the claim cannot be judged from what is shown. If the full paper contains explicit derivations and test cases, that would address the gap; without them the approach stays at the level of a plausible sketch. This work is aimed at engineers building compliance tools and at regulators interested in automated checks rather than at core access-control theorists. A reader who needs a starting point for policy-law automation could extract the modeling pattern and the plugin code. It is solid enough on the engineering side to merit peer review, mainly so referees can examine the actual translation rules and any evaluation the authors performed. I would send it out with instructions to focus on whether the mappings preserve legal meaning.

Referee Report

2 major / 1 minor

Summary. The paper introduces APLiance, an ABAC-based framework for verifying that organizational privacy policies comply with applicable privacy laws. Law sections are modeled as Attribute-Based Access Control rules, while policy clauses are represented as sequences of implied access requests; compliance holds if the requests are permitted by the rules. The approach is demonstrated in the context of India's Digital Personal Data Protection Act, and a browser plugin for real-time checking on visited privacy-policy pages has been publicly released.

Significance. If the mappings from statutory text to ABAC rules and from natural-language policy clauses to discrete access requests can be performed without material semantic loss, APLiance would supply a systematic, automatable method for policy-law compliance checking. This could assist enterprises, regulators, and users in data-protection contexts. The public release of the browser plugin is a concrete strength that supports reproducibility and practical follow-on work. The claimed generality to any policy-law pair is also potentially useful, though the manuscript supplies no concrete derivations or metrics to ground these benefits.

major comments (2)

[Abstract and §3] Abstract and §3 (Framework): The central claim states that 'a policy is considered to be compliant with the law if these access requests are permitted by the corresponding ABAC rules.' This claim is load-bearing on the assumption that all legally relevant elements (conditional consents, purpose limitations, retention periods, third-party sharing, erasure rights, cross-border conditions) can be losslessly reduced to subject-object-action tuples. The manuscript provides no worked examples of such reductions for any DPDP Act section, leaving the semantic-preservation question unaddressed.
[Demonstration section] Demonstration section (likely §4): The abstract asserts that APLiance 'demonstrate[s] its effectiveness' on the DPDP Act and that a plugin has been released. No concrete ABAC rules derived from specific statutory text, no parsing procedure for policy clauses, and no compliance-checking results or accuracy metrics are supplied. Without these, the effectiveness claim cannot be evaluated and the risk of false compliance (or false violation) remains untested.

minor comments (1)

[Abstract] Abstract: The underlined formatting used for 'APLiance' and the acronym expansion may not render consistently; consider standard LaTeX emphasis or boldface.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed comments. We address each major comment below and will revise the manuscript to incorporate additional concrete examples, derivations, and evaluation details as outlined.

read point-by-point responses

Referee: [Abstract and §3] Abstract and §3 (Framework): The central claim states that 'a policy is considered to be compliant with the law if these access requests are permitted by the corresponding ABAC rules.' This claim is load-bearing on the assumption that all legally relevant elements (conditional consents, purpose limitations, retention periods, third-party sharing, erasure rights, cross-border conditions) can be losslessly reduced to subject-object-action tuples. The manuscript provides no worked examples of such reductions for any DPDP Act section, leaving the semantic-preservation question unaddressed.

Authors: We agree that worked examples are required to demonstrate how complex legal elements map to ABAC without material semantic loss. In the revised version, we will add a dedicated subsection to §3 that provides explicit mappings for key DPDP Act provisions. For example, consent will be modeled via attributes capturing the data principal (subject), personal data item (object), processing operation (action), and additional attributes for purpose, consent status, and conditions; purpose limitations and retention periods will be encoded as rule conditions on those attributes; third-party sharing and cross-border transfers will use environment attributes for recipient and jurisdiction. These examples will illustrate the reduction process and allow readers to evaluate semantic fidelity. revision: yes
Referee: [Demonstration section] Demonstration section (likely §4): The abstract asserts that APLiance 'demonstrate[s] its effectiveness' on the DPDP Act and that a plugin has been released. No concrete ABAC rules derived from specific statutory text, no parsing procedure for policy clauses, and no compliance-checking results or accuracy metrics are supplied. Without these, the effectiveness claim cannot be evaluated and the risk of false compliance (or false violation) remains untested.

Authors: The current demonstration section emphasizes the plugin's architecture and public release for real-time use. To make the effectiveness claim evaluable, we will substantially expand §4 to include: (i) the specific ABAC rules derived from selected DPDP Act sections, (ii) the procedure for parsing policy clauses into sequences of implied access requests (including how natural-language elements are discretized into subject-object-action tuples with attributes), and (iii) results from applying the framework to multiple real-world privacy policies, together with observed compliance outcomes and any quantitative indicators of accuracy or error types. This will directly address concerns about false compliance or violation and provide concrete grounding for the claimed benefits, including generality across policy-law pairs. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper introduces APLiance as a modeling framework that translates statutory sections into ABAC rules and policy clauses into implied access requests, then defines compliance as the requests being permitted by the rules. This is a direct methodological proposal with no self-referential definitions, no fitted parameters renamed as predictions, and no load-bearing self-citations or uniqueness theorems. The derivation chain consists of explicit modeling choices presented as such, without any step reducing by construction to its own inputs. The framework is self-contained against external benchmarks of ABAC expressiveness and legal mapping utility.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract provides no explicit free parameters, axioms, or invented entities; the approach relies on standard ABAC concepts applied to a new domain.

pith-pipeline@v0.9.0 · 5500 in / 902 out tokens · 28453 ms · 2026-05-10T15:03:47.958950+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

28 extracted references · 28 canonical work pages

[1]

In: 25th Annual International Conference on Digital Government Research, DGO 2024, Taipei, Tai- wan, June 11-14, 2024

Acquah, E., Ganapati, S., Choi, Y.: Examining the effects of california consumer privacy act (CCPA) on organizational data breach notification. In: 25th Annual International Conference on Digital Government Research, DGO 2024, Taipei, Tai- wan, June 11-14, 2024. pp. 216–223 (2024).https://doi.org/10.1145/3657054. 3657082

work page doi:10.1145/3657054 2024
[2]

In: 2006 IEEE symposium on security and privacy (S&P’06)

Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual in- tegrity: Framework and applications. In: 2006 IEEE symposium on security and privacy (S&P’06). pp. 15–pp. IEEE (2006)

work page 2006
[3]

IEEE Trans

Cejas, O.A., Azeem, M.I., Abualhaija, S., Briand, L.C.: Nlp-based automated compliance checking of data processing agreements against GDPR. IEEE Trans. Software Eng.49(9), 4282–4303 (2023).https://doi.org/10.1109/TSE.2023. 3288901

work page doi:10.1109/tse.2023 2023
[4]

In: 2023 ACM SIGSAC Conference on Computer and Communications Security

Cohen, A., Smith, A.D., Swanberg, M., Vasudevan, P.N.: Control, confidentiality, and the right to be forgotten. In: 2023 ACM SIGSAC Conference on Computer and Communications Security. pp. 3358–3372. ACM (2023).https://doi.org/10. 1145/3576915.3616585

work page arXiv 2023
[5]

Cory, T., Rieder, W., Krämer, J., Raschke, P., Herbke, P., Küpper, A.: Word- level annotation of GDPR transparency compliance in privacy policies using large language models. Proc. Priv. Enhancing Technol.2026(1), 509–528 (2026).https: //doi.org/10.56553/POPETS-2026-0026

work page doi:10.56553/popets-2026-0026 2026
[6]

Dwork, C., Roth, A.: The algorithmic foundations of differential privacy. Found. Trends Theor. Comput. Sci.9(3–4), 211–407 (aug 2014)

work page 2014
[7]

Hosseini, H., Utz, C., Degeling, M., Hupperich, T.: A bilingual longitudinal analysis of privacy policies measuring the impacts of the GDPR and the CCPA/CPRA. Proc. Priv. Enhancing Technol.2024(2), 434–463 (2024).https://doi.org/10. 56553/POPETS-2024-0058

work page 2024
[8]

National Institute of Standards and Technology Special Publication (2014)

Hu, V., Ferraiolo, D., Kuhn, D., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology Special Publication (2014)

work page 2014
[9]

Kasiviswanathan, S.P., Lee, H.K., Nissim, K., Raskhodnikova, S., Smith, A.: What can we learn privately? SIAM Journal on Computing40(3), 793–826 (2011)

work page 2011
[10]

In: The Eleventh International Conference on Learning Representations (2023)

Khot, T., Trivedi, H., Finlayson, M., Fu, Y., Richardson, K., Clark, P., Sabharwal, A.: Decomposed prompting: A modular approach for solving complex tasks. In: The Eleventh International Conference on Learning Representations (2023)

work page 2023
[11]

In: 2023 ACM SIGSAC Conference on Computer and Communications Security

Klein, D., Rolle, B., Barber, T., Karl, M., Johns, M.: General data protection runtime: Enforcing transparent GDPR compliance for existing applications. In: 2023 ACM SIGSAC Conference on Computer and Communications Security. pp. 3343–3357 (2023).https://doi.org/10.1145/3576915.3616604

work page doi:10.1145/3576915.3616604 2023
[12]

and Wong, Kok-Seng , year=

Kubicek, K., Merane, J., Bouhoula, A., Basin, D.A.: Automating website registra- tion for studying GDPR compliance. In: Proceedings of the ACM on Web Con- ference 2024, WWW 2024, Singapore, May 13-17, 2024. pp. 1295–1306 (2024). https://doi.org/10.1145/3589334.3645709

work page doi:10.1145/3589334.3645709 2024
[13]

Li, H., Fan, W., Chen, Y., Cheng, J., Chu, T., Zhou, X., Hu, P., Song, Y.: Pri- vacy checklist: Privacy violation detection grounding on contextual integrity theory (2025),https://arxiv.org/abs/2408.10053

work page arXiv 2025
[14]

Li, H., Hu, W., Jing, H., Chen, Y., Hu, Q., Han, S., Chu, T., Hu, P., Song, Y.: Privaci-bench: Evaluating privacy with contextual integrity and legal compliance (2025),https://arxiv.org/abs/2502.17041 18 Dhakar et al

work page arXiv 2025
[15]

In: 23rd International Conference on Data Engineering

Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: 23rd International Conference on Data Engineering. pp. 106–115 (2007).https://doi.org/10.1109/ICDE.2007.367856

work page doi:10.1109/icde.2007.367856 2007
[16]

Liginlal, D., Sim, I., Khansa, L., Fearn, P.: HIPAA privacy rule compliance: An interpretive study using norman’s action theory. Comput. Secur.31(2), 206–220 (2012).https://doi.org/10.1016/J.COSE.2011.12.002

work page doi:10.1016/j.cose.2011.12.002 2012
[17]

In: IEEE Conference on Arti- ficial Intelligence, CAI

Lobo, J.L., Gil-Lopez, S., Ser, J.D.: The right to be forgotten in artificial intelli- gence: Issues, approaches, limitations and challenges. In: IEEE Conference on Arti- ficial Intelligence, CAI. pp. 179–180 (2023).https://doi.org/10.1109/CAI54212. 2023.00085

work page doi:10.1109/cai54212 2023
[18]

Gionis, H

Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data1(1), 3–es (Mar 2007).https://doi.org/10.1145/1217299.1217302

work page doi:10.1145/1217299.1217302 2007
[19]

In: Annual Computer Security Applications Conference, ACSAC 2025 - Workshops

Madine, M.M., Alsalami, Y., Salah, K., Jayaraman, R.: Framework for GDPR and HIPAA compliance in healthcare applications using zero-knowledge proofs. In: Annual Computer Security Applications Conference, ACSAC 2025 - Workshops. pp. 316–322 (2025).https://doi.org/10.1109/ACSACW69556.2025.00041

work page doi:10.1109/acsacw69556.2025.00041 2025
[20]

Nissenbaum, H.: Privacy as contextual integrity. Wash. L. Rev.79, 119 (2004)

work page 2004
[21]

In: IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy

Parikh, A.M., Sural, S., Atluri, V., Vaidya, J.: Enabling right to be forgotten in a collaborative environment using permissioned blockchains. In: IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy. pp. 156–175 (2025).https://doi.org/10.1007/978-3-031-96590-6_9

work page doi:10.1007/978-3-031-96590-6_9 2025
[22]

In: Proceedings of the Seventeenth ACM SIGACT- SIGMOD-SIGART Symposium on Principles of Database Systems

Samarati, P., Sweeney, L.: Generalizing data to provide anonymity when disclos- ing information (abstract). In: Proceedings of the Seventeenth ACM SIGACT- SIGMOD-SIGART Symposium on Principles of Database Systems. p. 188 (1998). https://doi.org/10.1145/275487.275508

work page doi:10.1145/275487.275508 1998
[23]

attribute_name

Zimmeck, S., Story, P., Smullen, D., Ravichander, A., Wang, Z., Reidenberg, J.R., Russell, N.C., Sadeh, N.M.: Maps: Scaling privacy compliance analysis to a million apps.ProceedingsonPrivacyEnhancingTechnologies2019,66–86(2019),https: //api.semanticscholar.org/CorpusID:198490131 A Appendix In this Appendix, we present the LLM prompts used in our work and ...

work page 2019
[24]

Carefully read the privacy policy

work page
[25]

Determine whether the policy explicitly or implicitly provides information related to each attribute

work page
[26]

If explicitly stated, assign the corresponding value

work page
[27]

If logically inferable, assign the inferred value

work page
[28]

attribute_name

Strictly choose values only from the providedpossible_values. Output Format: [{ "attribute_name": "law_applicable", "inferred_value": "true", "justification": "The policy states that services are offered to users in India, which brings the processing under the DPDP Act." },{ "attribute_name": "consent_status", "inferred_value": "active", "justification": ...

work page

[1] [1]

In: 25th Annual International Conference on Digital Government Research, DGO 2024, Taipei, Tai- wan, June 11-14, 2024

Acquah, E., Ganapati, S., Choi, Y.: Examining the effects of california consumer privacy act (CCPA) on organizational data breach notification. In: 25th Annual International Conference on Digital Government Research, DGO 2024, Taipei, Tai- wan, June 11-14, 2024. pp. 216–223 (2024).https://doi.org/10.1145/3657054. 3657082

work page doi:10.1145/3657054 2024

[2] [2]

In: 2006 IEEE symposium on security and privacy (S&P’06)

Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual in- tegrity: Framework and applications. In: 2006 IEEE symposium on security and privacy (S&P’06). pp. 15–pp. IEEE (2006)

work page 2006

[3] [3]

IEEE Trans

Cejas, O.A., Azeem, M.I., Abualhaija, S., Briand, L.C.: Nlp-based automated compliance checking of data processing agreements against GDPR. IEEE Trans. Software Eng.49(9), 4282–4303 (2023).https://doi.org/10.1109/TSE.2023. 3288901

work page doi:10.1109/tse.2023 2023

[4] [4]

In: 2023 ACM SIGSAC Conference on Computer and Communications Security

Cohen, A., Smith, A.D., Swanberg, M., Vasudevan, P.N.: Control, confidentiality, and the right to be forgotten. In: 2023 ACM SIGSAC Conference on Computer and Communications Security. pp. 3358–3372. ACM (2023).https://doi.org/10. 1145/3576915.3616585

work page arXiv 2023

[5] [5]

Cory, T., Rieder, W., Krämer, J., Raschke, P., Herbke, P., Küpper, A.: Word- level annotation of GDPR transparency compliance in privacy policies using large language models. Proc. Priv. Enhancing Technol.2026(1), 509–528 (2026).https: //doi.org/10.56553/POPETS-2026-0026

work page doi:10.56553/popets-2026-0026 2026

[6] [6]

Dwork, C., Roth, A.: The algorithmic foundations of differential privacy. Found. Trends Theor. Comput. Sci.9(3–4), 211–407 (aug 2014)

work page 2014

[7] [7]

Hosseini, H., Utz, C., Degeling, M., Hupperich, T.: A bilingual longitudinal analysis of privacy policies measuring the impacts of the GDPR and the CCPA/CPRA. Proc. Priv. Enhancing Technol.2024(2), 434–463 (2024).https://doi.org/10. 56553/POPETS-2024-0058

work page 2024

[8] [8]

National Institute of Standards and Technology Special Publication (2014)

Hu, V., Ferraiolo, D., Kuhn, D., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology Special Publication (2014)

work page 2014

[9] [9]

Kasiviswanathan, S.P., Lee, H.K., Nissim, K., Raskhodnikova, S., Smith, A.: What can we learn privately? SIAM Journal on Computing40(3), 793–826 (2011)

work page 2011

[10] [10]

In: The Eleventh International Conference on Learning Representations (2023)

Khot, T., Trivedi, H., Finlayson, M., Fu, Y., Richardson, K., Clark, P., Sabharwal, A.: Decomposed prompting: A modular approach for solving complex tasks. In: The Eleventh International Conference on Learning Representations (2023)

work page 2023

[11] [11]

In: 2023 ACM SIGSAC Conference on Computer and Communications Security

Klein, D., Rolle, B., Barber, T., Karl, M., Johns, M.: General data protection runtime: Enforcing transparent GDPR compliance for existing applications. In: 2023 ACM SIGSAC Conference on Computer and Communications Security. pp. 3343–3357 (2023).https://doi.org/10.1145/3576915.3616604

work page doi:10.1145/3576915.3616604 2023

[12] [12]

and Wong, Kok-Seng , year=

Kubicek, K., Merane, J., Bouhoula, A., Basin, D.A.: Automating website registra- tion for studying GDPR compliance. In: Proceedings of the ACM on Web Con- ference 2024, WWW 2024, Singapore, May 13-17, 2024. pp. 1295–1306 (2024). https://doi.org/10.1145/3589334.3645709

work page doi:10.1145/3589334.3645709 2024

[13] [13]

Li, H., Fan, W., Chen, Y., Cheng, J., Chu, T., Zhou, X., Hu, P., Song, Y.: Pri- vacy checklist: Privacy violation detection grounding on contextual integrity theory (2025),https://arxiv.org/abs/2408.10053

work page arXiv 2025

[14] [14]

Li, H., Hu, W., Jing, H., Chen, Y., Hu, Q., Han, S., Chu, T., Hu, P., Song, Y.: Privaci-bench: Evaluating privacy with contextual integrity and legal compliance (2025),https://arxiv.org/abs/2502.17041 18 Dhakar et al

work page arXiv 2025

[15] [15]

In: 23rd International Conference on Data Engineering

Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: 23rd International Conference on Data Engineering. pp. 106–115 (2007).https://doi.org/10.1109/ICDE.2007.367856

work page doi:10.1109/icde.2007.367856 2007

[16] [16]

Liginlal, D., Sim, I., Khansa, L., Fearn, P.: HIPAA privacy rule compliance: An interpretive study using norman’s action theory. Comput. Secur.31(2), 206–220 (2012).https://doi.org/10.1016/J.COSE.2011.12.002

work page doi:10.1016/j.cose.2011.12.002 2012

[17] [17]

In: IEEE Conference on Arti- ficial Intelligence, CAI

Lobo, J.L., Gil-Lopez, S., Ser, J.D.: The right to be forgotten in artificial intelli- gence: Issues, approaches, limitations and challenges. In: IEEE Conference on Arti- ficial Intelligence, CAI. pp. 179–180 (2023).https://doi.org/10.1109/CAI54212. 2023.00085

work page doi:10.1109/cai54212 2023

[18] [18]

Gionis, H

Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data1(1), 3–es (Mar 2007).https://doi.org/10.1145/1217299.1217302

work page doi:10.1145/1217299.1217302 2007

[19] [19]

In: Annual Computer Security Applications Conference, ACSAC 2025 - Workshops

Madine, M.M., Alsalami, Y., Salah, K., Jayaraman, R.: Framework for GDPR and HIPAA compliance in healthcare applications using zero-knowledge proofs. In: Annual Computer Security Applications Conference, ACSAC 2025 - Workshops. pp. 316–322 (2025).https://doi.org/10.1109/ACSACW69556.2025.00041

work page doi:10.1109/acsacw69556.2025.00041 2025

[20] [20]

Nissenbaum, H.: Privacy as contextual integrity. Wash. L. Rev.79, 119 (2004)

work page 2004

[21] [21]

In: IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy

Parikh, A.M., Sural, S., Atluri, V., Vaidya, J.: Enabling right to be forgotten in a collaborative environment using permissioned blockchains. In: IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy. pp. 156–175 (2025).https://doi.org/10.1007/978-3-031-96590-6_9

work page doi:10.1007/978-3-031-96590-6_9 2025

[22] [22]

In: Proceedings of the Seventeenth ACM SIGACT- SIGMOD-SIGART Symposium on Principles of Database Systems

Samarati, P., Sweeney, L.: Generalizing data to provide anonymity when disclos- ing information (abstract). In: Proceedings of the Seventeenth ACM SIGACT- SIGMOD-SIGART Symposium on Principles of Database Systems. p. 188 (1998). https://doi.org/10.1145/275487.275508

work page doi:10.1145/275487.275508 1998

[23] [23]

attribute_name

Zimmeck, S., Story, P., Smullen, D., Ravichander, A., Wang, Z., Reidenberg, J.R., Russell, N.C., Sadeh, N.M.: Maps: Scaling privacy compliance analysis to a million apps.ProceedingsonPrivacyEnhancingTechnologies2019,66–86(2019),https: //api.semanticscholar.org/CorpusID:198490131 A Appendix In this Appendix, we present the LLM prompts used in our work and ...

work page 2019

[24] [24]

Carefully read the privacy policy

work page

[25] [25]

Determine whether the policy explicitly or implicitly provides information related to each attribute

work page

[26] [26]

If explicitly stated, assign the corresponding value

work page

[27] [27]

If logically inferable, assign the inferred value

work page

[28] [28]

attribute_name

Strictly choose values only from the providedpossible_values. Output Format: [{ "attribute_name": "law_applicable", "inferred_value": "true", "justification": "The policy states that services are offered to users in India, which brings the processing under the DPDP Act." },{ "attribute_name": "consent_status", "inferred_value": "active", "justification": ...

work page