Nearby: Workshop home page

W3C Technology and Society Domain

Call For Participation:

W3C Workshop on the
long-term Future of P3P
Enterprise Privacy Languages

19-20 June 2003, Kiel, Schleswig-Holstein, Germany


Date: The Workshop will be held only Thursday 19 and Friday 20 June. Please adapt your travel plans

Location: The Workshop was moved from Multimedia-Campus the Office of the Independent Center for Privacy Protection. See Directions

Workshop Goal

The World Wide Web Consortium is sponsoring a workshop to discuss future applications of P3P and the Enterprise Privacy Languages, and get feedback on what additional specifications or coordination efforts might be necessary to support them. We are inviting position papers that discuss either technology or policy considerations (or both) for the long-term future of P3P. Papers can be based on the current P3P specification, but also go beyond backwards compatibility to P3P 1.0. The results of this workshop will inform W3C's decision making on future P3P strategy, stimulate discussions of new developments and directions for the long-term future of P3P and privacy metadata based solutions in general and facilitate coordination with organizations engaged in related efforts.

We also want to evaluate the interest in enterprise privacy policy enforcement languages and to consider the relationship and/or integration of such a language with respect to P3P. One proposal for Enterprise Privacy languages that has come to the attention of the Workshop co-chairs is Enterprise Privacy Authorization Language (EPAL), developed by IBM.  It is an example of such a formalized and fine-grained purpose-based enterprise privacy policy language that provides enterprise enforcement opportunities for P3P 1.0 declarative policies. 

The goals for the Enterprise Privacy Languages area are:


Some existing languages:

The Platform for Privacy Preferences 1.0 (P3P1.0) was released as a W3C Recommendation on 16 April 2002. Already, P3P1.0 has been implemented in two major browsers, a proxy service, a browser add-on, and other user agent software. In addition, several P3P policy generator and editor tools are available, and tools to track P3P usage are being integrated into Web site privacy policy management systems. Besides the existing P3P tools, a variety of other P3P tools and services have been proposed. As Web sites adopt P3P, limitations have been discovered and new features are being suggested for possible inclusion in P3P1.x or P3P2.0.

One proposal for Enterprise Privacy languages that has come to the attention of the Workshop co-chairs is the Enterprise Privacy Authorization Language (EPAL). It is a formal rules language for writing enterprise privacy policies to control data handling practices in IT systems according to purpose specification, IT actions, fine-grained positive and negative authorization rights, and complex conditions. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication. An EPAL policy defines lists of hierarchies of data-categories, data-users, and purposes, and sets of (privacy) actions, obligations, and conditions. Data-users are the entities (users/groups) that use collected data (e.g., travel expense department or tax auditor). Data-categories define different categories of collected data that are handled differently from a privacy perspective (e.g., medical-record vs. contact-data). Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes).

These elements are then used to formulate privacy authorization rules that allow or deny actions on data-categories by data-users for certain purposes under certain conditions while mandating certain obligations.  EPAL policies can be used as templates, exchanged with business partners, ported to different applications within and between enterprises for complex purpose-based data authorization and privacy policy enforcement.  As such, EPAL is not only for web-based application policy enforcement, but can be used in a wide range of enterprise application and database systems for systemic privacy policy and data authorization enforcement, template creation, and policy exchange.

Further background:

The Workshop on P3P1.1 has been held in Dulles/Virginia USA on 12-13 November 2002. The workshop summary report indicated some achievements that can be reached within a limited amount of time. As initially planned, this second workshop is now focusing on the long-term strategies. While the findings of the first workshop had to take the installed base into account, thoughts oriented a long time in the future even include suggestions that are not backwards compatible.

Scope of the Workshop

The workshops on the first two days will discuss technology and policy considerations for the long-term future of P3P including new features or applications of P3P and longer-term P3P-related research and advanced development. Those might well address technical problems with P3P1.0, policy goals that P3P may help address, requirements unmet by P3P1.0, and legal or policy questions that have arisen as a result of P3P implementation with a perspective on the long-term future.

On the third day, The EPAL session will explore various industry use case scenarios and regulatory templates for EPAL policies and enforcement scenarios.  The goal is to present EPAL capabilities in a public forum and to collect interest and feedback on the idea of a more fine grained Enterprise Privacy Language (like EPAL e.g.).  It will also discuss which follow-up will be appropriate in this sector.


To help prepare for discussions at the workshop and to continue discussions following the workshop, we invite discussions on the P3P public mailing list. To subscribe, send mail to and put the word "subscribe" in the subject line. A public archive of this list is available at

The workshop is expected to result in the following deliverables:

These will be published on the workshop home page.

Expected Audience

We expect several communities to contribute to the workshop:

Registration and Rules for Participation

Position Papers

Position papers are the basis for the discussion at the workshop. These papers will also be made available to the public from the W3C Web site. We are inviting position papers that discuss either technology or policy considerations (or both) for the long-term future of P3P. We also invite position papers about Enterprise Privacy Languages that can consist in comments on EPAL or in other proposed languages.   Position papers could include technology requirements and use cases for Enterprise Privacy Languages,  and enforcement technologies.

Technology papers should propose new features or applications within the privacy metadata approach, followed by P3P but also by EPAL. They should explain how the new feature or application might be achieved technically, which issue will be addressed and what the benefits of this specific solution is. Concepts may also address new features addressing privacy in new application contexts such as single-sign-on systems, mobile Web access systems, Web Services, the Semantic Web or DRM Systems. Papers may also propose features be added to further integrate P3P with other W3C standards under development and with technologies under development in other organizations. Technology papers should also discuss the policy motivations for the new feature or application if relevant.

Policy papers should propose a new feature or application of P3P, identify a policy goal that P3P may help address, identify requirements that have gone unmet in the current P3P architecture, or discuss legal or policy questions that have arisen as a result of P3P implementation. Papers proposing new features or applications should discuss the policy, business, or other issues that motivate them, and include an evaluation of P3P1.0 with respect to a particular set of requirements. For example, a policy paper might point to specific regulatory frameworks that could benefit from P3P or EPAL for which the current P3P or EPAL vocabulary is inadequate. If possible, policy papers should briefly discuss how the new feature or application might be achieved technically and answer the questions posed for technology papers.

All papers should be 3 to 10 pages, although they may link to longer versions or appendixes. Papers might indicate what, if any, work has already been done towards developing a new feature or application, and any companies or organizations that are willing to commit resources towards this effort.

Position papers will be published on the public Web pages of the workshop, so position papers and slides of presentations must be available for public dissemination. Submitting a position paper comprises a default recognition of these terms for publication. Allowed formats are HTML/XHTML, PDF, or ASCII. Papers in any other formats will be returned with a request for correct formatting. Good examples of position papers can be seen in the QL'98 workshop. People might want to use a proposed stylesheet for their papers.

The Program Committee may ask the authors of particularly salient position papers to explicitly present their position at the workshop to foster discussion. Presenters will also make the slides of the presentation available on the workshop Web home page.

Position papers must be submitted via email to no later than 24 May 2002.

Workshop Organization

Workshop Chairs

Program Chairs

Program Committee

Caspar Bowden (Microsoft) Ann Cavoukian (Information and Privacy Commissioner, Ontario), Lorrie Cranor (AT&T), Jos Dumortier (University of Leuven), Marit Hansen (ICPP), Yuichi Koike (NEC), Helena Lindskog (Ericsson), Ari Schwartz (CDT), Matthias Schunter (IBM), Poorvi Vora (HP), Daniel Weitzner (W3C), Rigo Wenning (W3C), Mark Wilikens (JRC), Brian Zwit (America Online).

Workshop Host is the Independent Centre for Privacy Protection (ICPP) Schleswig-Holstein (Germany)


The workshop program is expected to run from 9 am to 6 pm on all 3 days. A more detailed program will be available 7 June 2003.


Location: The Workshop was moved from Multimedia-Campus the Office of the Independent Center for Privacy Protection. See Directions

The Workshop will take place in the offices of the Independent Center for Privacy Protection in Kiel. Kiel is situated at the north-end of Germany.

Getting There

From Hamburg Airport to Kiel

Kiel has it's own small Airport. But it is much smarter to fly to Hamburg Airport and take a Bus called Kielius that starts at Hamburg Airport and ends at the main railway-station in Kiel. The schedule for Hamburg->Kiel and Kiel->Hamburg are online. Here is a map of the area where you arrive.

Inside Kiel

The office of the Independent Center for Privacy Protection is of a walking distance from the railway station. See the description at their site for more information.


The Independent Center for Privacy Protection Schleswig-Holstein has reserved 50 rooms for now. They need to give the list to the hotels at latest by 4 June 2003. To reserve, please contact Heike Reimann, ULD/ICPP Holstenstr. 98 24103 Kiel Tel.: +49 (0) 431.988.1200/1209

Important Dates

Date Event
24 May 2003 Deadline for position papers (3 to 10 pages in HTML format - send to
4 June 2003 Deadline for hotel - reservations with the Independent Center for Privacy
7 June 2003 Program released
14 June 2003 Deadline for registration (use registration form).
18-20 June 2003 W3C Workshop on the Future of P3P in Kiel/Germany

W3C Resource Statement

Over the period of ten weeks, this work will consume 30% of the time of one W3C Team member for committee work, 20% of the time of one W3C Team member to handle local organization, and 10% of the time of one W3C Team member for managing the workshop Web pages. This effort is part of the W3C Technology and Society Domain.


Rigo Wenning, W3C Privacy Activity Lead

Last update $Date: 2003/06/11 14:20:56 $