Jeroen de Rooij
The Platform for Privacy Preferences Project (P3P) is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see [1].
EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights [2].
P3P enables a web-site to describe what kind of data is collected and how this data will be used. A P3P policy may contain the purposes, the recipients, the retention period, and a textual explanation of why this data is needed. P3P defines standardized categories for each kind of information included in a policy. Unlike P3P, EPAL defines the privacy-practices that are implemented inside an enterprise. Since this depends on internal details of the enterprise, it results in much more detailed policies that can be enforced and audited automatically. However, the resulting privacy guarantees can sometimes be simplified as a P3P promise that is offered for the users of the services [2].
To enhance the position of P3P in the future we believe it is necessary to integrate 'front-end' privacy language (P3P) with 'back-end' privacy languages and PETs used by organizations internally. Arguments for our position are:
The privacy life cycle (policy development; data handling modelling; gap and risk analyses; implementation; monitoring and enforcement; audit and reporting) should be supported by a well structured set of tools and formats. These tools and formats together with privacy enhanced business IT systems must guarantee compliance with privacy regulation and principles.
Future research and development should - also - be focused on building a structured set of integrated tools that enable effective and efficient privacy management. These tools should support the privacy life cycle end-to-end where privacy components (like privacy policy and statements) should be made re-usable within the life cycle. Furthermore privacy awareness amongst citizens and the availability of privacy tools should get more emphasis.
[2]: http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/index.html