A Type System for Data Privacy Compliance in Active Object Languages

TL;DR

This paper introduces a type system for active object languages that automatically enforces GDPR compliance by tracking data flows and user consent, integrating privacy checks into system execution.

Contribution

It presents a novel language-based approach combining static and runtime techniques to ensure data privacy compliance in software systems.

Findings

Type system enables automatic GDPR compliance verification.

Framework supports tracking of user consent and data flow constraints.

Demonstrated soundness and practical applicability through examples.

Abstract

Data protection laws such as GDPR aim to give users unprecedented control over their personal data. Compliance with these regulations requires systematically considering information flow and interactions among entities handling sensitive data. Privacy-by-design principles advocate embedding data protection into system architectures as a default. However, translating these abstract principles into concrete, explicit methods remains a significant challenge. This paper addresses this gap by proposing a language-based approach to privacy integration, combining static and runtime techniques. By employing type checking and type inference in an active object language, the framework enables the tracking of authorised data flows and the automatic generation of constraints checked at runtime based on user consent. This ensures that personal data is processed in compliance with GDPR constraints. The key contribution of this work is a type system that gather the compliance checks and the changes to users consent and integrates data privacy compliance verification into system execution. The paper demonstrates the feasibility of this approach through a soundness proof and several examples, illustrating how the proposed language addresses common GDPR requirements, such as user consent, purpose limitation, and data subject rights. This work advances the state of the art in privacy-aware system design by offering a systematic and automated method for integrating GDPR compliance into programming languages. This capability has implications for building trustworthy systems in domains such as healthcare or finance, where data privacy is crucial.