W3C has acknowledged receipt of IBM's Enterprise Privacy Authorization Language (EPAL) Version 1.2 as a Member Submission request. The specification includes two parts: a prose description of syntax and semantics, with formal definition of the EPAL syntax presented in an XML Schema. The EPAL technical specification defines a "formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication. EPAL is thus an interoperability language for exchanging privacy policy in a structured format between applications or enterprises, supporting the ability to encode an enterprise's privacy-related data-handling policies and practices and providing a language that can be imported and enforced by a privacy-enforcement systems. The goal of EPAL is: (1) to enable organizations to be demonstrably compliant with their stated policies; (2) to reduce overhead and the cost of configuring and enforcing data handling policies; and (3) to leverage existing standards and technologies. Whereas the W3C Platform for Privacy Preferences (P3P) Recommendation defines a global terminology that can be used to describe the privacy promises of an enterprise, EPAL aims at formalizing enterprise-internal privacy policies, which requires a fine-grained vocabulary; it also includes a fine-grained hierarchy of purposes for which an enterprise collects data." While EPAL is not in scope for the W3C P3P 1.1 Specification Working Group as currently chartered, the submission will be brought to the attention of the P3P Coordination Group, the P3P community, W3C's AC, and the PET community.

Bibliographic Information

Enterprise Privacy Authorization Language (EPAL 1.2). W3C Member Submission 10-November-2003. Submitted: 10-November-2003. Authors: Paul Ashley (IBM Tivoli Software), Satoshi Hada (IBM Research), G|nter Karjoth (IBM Research), Calvin Powers (IBM Tivoli Software), Matthias Schunter (IBM Research). Edited by Calvin Powers (IBM Tivoli Software) and Matthias Schunter (IBM Research). Business Contact: Steve Adler (IBM Tivoli Software). Version URL: http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/. Latest version URL: http://www.w3.org/Submission/EPAL/. Previous version: EPAL 1.0 published as IBM Research Report RZ 3485 (#93951), 03/03/2003.

"This document formally describes EPAL, including concepts, syntax, and semantics. To help readers understand the structure and capabilities of the language, it is presented in several forms. First, a brief overview of the language is given in Section 2 in textual form, explaining the major structures of the language and how they fit together. Secondly, the detailed syntax of the language will be specified in Sections 3 and 4 by parts of the EPAL schema along with some examples of EPAL. Thirdly, the semantics of an EPAL policy is described in Section 5. Data-types that are re-used in multiple places are defined in Section 6. The formal definition of the EPAL syntax is given by the XML Schema for EPAL as an appendix..."

Condensed TOC:

• 1. Introduction
• 2 EPAL Overview and Example
  • 2.1 Example of EPAL in Use
  • 2.2 UML Overview on the EPAL Syntax
  • 2.3 XML Schema of EPAL
• 3. EPAL Vocabularies
• 4. EPAL Policies
• 5. Privacy Authorization - Semantics of an EPAL Policy
• 6. EPAL Data Types
• Appendices
  • Appendix 1. References (Normative)
  • Appendix 2. References (Non-Normative)
  • Appendix 3. Example Authorization Interface
  • Appendix 4. Glossary
  • Appendix 5: EPAL Functions and Predicates
  • Appendix 6. Technological Context of EPAL
  • Appendix 7. Complete XML Schema for EPAL

EPAL Specification Abstract

"The Enterprise Privacy Authorization Language (EPAL) technical specification is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication.

An EPAL policy defines lists of hierarchies of data-categories, user-categories, and purposes, and sets of (privacy) actions, obligations, and conditions. user-categories are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes).

Actions model how the data is used (e.g.,, disclose vs. read). Obligations define actions that must be taken by the environment of EPAL (e.g.,, delete after 30 days or get consent). Conditions are Boolean expressions that evaluate the context (e.g., 'the user-category must be an adult' or 'the user-category must be the primary care physician of the data-subject').

These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by user-categories for certain purposes under certain conditions while mandating certain obligations. In order to allow for general rules and exceptions, EPAL rules are sorted by descending precedence. E.g.,, a rule about a particular employee can be inserted before the rule about the department in order to implement an exception..." [v1.2 spec]

From the W3C Team Comment on the EPAL Submission

EPAL was first presented to the W3C community at the W3C Workshop on the long term Future of P3P and Enterprise Privacy Languages. EPAL is a specialized language that describes and constrains the flow of personal data inside an enterprise. The tool is used to implement the paradigm of sticky policies. With EPAL, personal data has the policy data attached to it while traveling through the enterprise. Every enterprise can encode its privacy policy in a metadata format similar to P3P. It contains, for example, purposes and data categories and is supposed to match the corresponding business process. A second EPAL file contains rules to express actions, obligations and conditions. While the vocabulary is intended to be stable, it is easy to change the rules and allow or deny access by a another category of users or to introduce a new condition for access. For any given database request, the vocabulary will be used to indicate possible usages and the rules will specify whether, given the purposes, the specific request is allowed for this particular person.

EPAL is designed to expand on the capability of P3P by adding privacy-related access control and authorization in the enterprise context. At the same time, EPAL is a new challenge in the area of privacy enhanced technologies. While P3P was designed to be interoperable across the Web, EPAL is more focused on the intra-enterprise world. If data has to travel over the edges of an enterprise, challenges on matching and mixing vocabularies from two different enterprises appear. Nevertheless, EPAL remains close to P3P. The separation of policy and rules also exists in P3P and its rule-language APPEL. The consent-choices present in EPAL are also under consideration for P3P Version 1.1.

Unlike P3P, the binding between policy and resource is not defined by a Policy Reference File. The fact that a certain data item falls into a certain data category triggers a certain rule. But it is not defined which data falls into a certain data category. This reflects the absence of a consistent system of unique resource identifiers inside a company where data can be stored on a Web-server (with URI) or simply in a SQL database (without URI). The absence of clear identifiers gives some flexibility but affects the semantics of such statements. In fact, the data stored must contain a reference to its data category to be useful. This is reflected by the paradigm of sticky policies described in the introduction. As such archiving can vary depending on the data archiving tools, this is not easy to define. Interoperability might require that the type of identifier used to make the policy stick with the data must be defined by EPAL. [see the complete text of the Team Comment]

IBM IPR Declaration

[In part:] "In the event that this submission, or portions thereof, are included in the W3C Recommendation on an Enterprise Privacy Authorization Language (EPAL), and the Recommendation cannot be practiced without the use of one or more IBM patents, IBM agrees upon written request to grant a nonexclusive, royalty free license, with other reasonable terms and conditions, for patents issued to IBM, which contain claims that are essential to this specification as submitted and for which IBM is able to provide patent licenses, to all entities willing to grant IBM a reciprocal license. IBM expressly disclaims any and all warranties regarding this submission including any warranty that this submission does not violate the rights of others or is fit for a particular purpose..."

About W3C Member Submissions

"The W3C Member Submission process allows Members to propose technology or other ideas for consideration by the Team. After review, the Team may publish the material at the W3C Web site. The formal process affords Members a record of their contribution and gives them a mechanism for disclosing the details of the transaction with the Team (including IPR claims). The Team also publishes review comments on the Submitted materials for W3C Members, the public, and the media...

The acknowledgment of a Submission request does not imply that any action will be taken by W3C. It does not imply an endorsement by W3C, including the W3C Team, any of the Members, or any of the Host Institutes. It merely records publicly that the Submission request has been made by the submitting Member. The specification may not be referred to as "work in process" of the W3C... The reader's attention is drawn to the statement of intellectual property that accompanies each Submission request as there is no implication of any openness or release of proprietary rights in any submitted technology..." [from the Index of Acknowledged Member Submissions to W3C]