Papers
Topics
Authors
Recent
Search
2000 character limit reached

Privacy as Permissible Operations: An ABAC Framework for Policy-Law Compliance

Published 12 Apr 2026 in cs.CR | (2604.10832v1)

Abstract: In recent years, many countries have started enacting laws to safeguard privacy of personal data of their citizens collected and maintained by various enterprises through websites, mobile apps, and other means. It is imperative that the privacy policies of these enterprises respect the provisions of the applicable law. In this paper, we show how such organizational privacy policies can be efficiently checked against a prevalent law. Our novel approach named APLiance (\underline{A}BAC framework for \underline{P}olicy-\underline{L}aw Compl\underline{iance}) models the requirements of the different sections of a privacy law in the form of Attribute-based Access Control (ABAC) rules and the clauses of a privacy policy as a sequence of implied access requests. A policy is considered to be compliant with the law if these access requests are permitted by the corresponding ABAC rules. Although APLiance can be used in any policy-law setting, we demonstrate its effectiveness in the context of the recently introduced Digital Personal Data Protection Act of India. A browser plugin has been developed and publicly released for real time compliance checking using APLiance whenever a user visits the privacy policy page of a website.

Summary

  • The paper introduces the APLiance framework that uses ABAC to operationalize DPDP compliance through attribute-based permission rules.
  • It integrates LLM-driven text extraction with a structured attribute schema, achieving over 94% accuracy in explicit policy evaluations.
  • Experimental results reveal gaps in multilingual consent and explicit withdrawal provisions, highlighting challenges in scalable privacy compliance.

Formalizing Privacy Policy Compliance: The APLiance ABAC Framework for DPDP

Motivation and Problem Setting

The increasing prevalence of privacy laws—such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), and India’s Digital Personal Data Protection (DPDP) Act—has highlighted the urgent requirement to effectively verify compliance between enterprise privacy policies and legal privacy obligations. The challenge lies in operationalizing compliance: privacy policies and laws are articulated in heterogeneous, natural language formats, often with implicit contextual qualifiers, making machine-verifiable reasoning complex.

The paper proposes a solution for this verification bottleneck via the APLiance framework: an ABAC-based system for policy-law compliance, specifically instantiated for India’s DPDP Act (2604.10832). The method models legal requirements as permission rules over attribute spaces and policy clauses as implied access requests, reducing compliance assessment to an operational decision problem. APLiance also integrates LLMs for textual attribute extraction and is deployed as a browser extension for real-time user-facing compliance reporting.

ABAC Formalization of Privacy Laws and Policies

Attribute-Based Access Control (ABAC) is utilized as the core formalism to unify privacy law requirements and policy statements. ABAC models requests as tuples of subjects, objects, actions, and environmental factors, each parameterized by attribute values. Rules derived from the privacy law determine which requests (i.e., operations on personal data) are permissible.

In the context of DPDP, the framework captures:

  • Roles: e.g., data fiduciary (organization) and data principal (individual)
  • Actions: e.g., data processing
  • Object: personal data
  • Attributes: base (directly inferable from policy text), derived (computed from other attributes via rules), and unknown (not specified, requiring all possibilities to be considered)

This structure enables modular specification and compositionality of rules—critical for capturing complex legal stipulations and context-dependent constraints. Derived attributes are computed recursively using explicit rules, enhancing interpretability and expressiveness over alternative frameworks such as Contextual Integrity.

LLM-Based Attribute Extraction

Privacy policies are written in natural language, with variability and implicitness. APLiance leverages LLMs (gpt-5.4-mini) to infer base attribute values from policy text, guided by a formal attribute schema. This separation between formal rule specification and natural language processing supports systematic, scalable compliance checking.

For each policy, the LLM is tasked with populating attribute values based on textual evidence or logical inference, strictly adhering to predefined possible values. Unknown attributes are handled by evaluating all consistent assignments, ensuring robust handling of ambiguities and omissions.

Implementation and System Architecture

The practical system includes:

  • Manual extraction of attribute schema and rules from DPDP Act Sections 1-7 (core consent and lawful processing provisions)
  • LLM-driven attribute mapping from privacy policy text
  • Rule evaluation engine producing compliance verdicts based on ABAC rules
  • Browser extension for seamless user interaction and real-time compliance alerts

The backend caches policy analyses for efficiency, and transparently reports violations pinpointing specific unsatisfied DPDP attributes, aiding both users and organizations in identifying compliance gaps.

APLiance was evaluated on a dataset of 25 real-world privacy policies spanning major domains. Each policy was assessed against 16 compliance attributes, producing 400 policy/attribute evaluations.

Attribute extraction metrics:

  • Overall accuracy: 94.5%
  • Precision and recall: 96.1%
  • Per-policy accuracy: typically >93%, with some policies achieving perfect classification

Attribute-level performance:

  • Explicit requirements (purpose limitation, lawful purpose): 100% accuracy
  • Implicit/ambiguous requirements (unambiguous consent, easy withdrawal): notably lower accuracy, e.g., 64% for unambiguous consent, indicating LLM struggles with implicit language

Compliance outcomes:

  • No policy achieved full compliance with all DPDP ABAC rules
  • Non-compliance was primarily driven by three attributes: lack of multilingual consent notices, missing complaint mechanisms, and failure to support explicit, easy consent withdrawal
  • Relaxing the stringent attributes improved the compliant policy count (up to 20/25 when key problematic attributes were excluded), showing partial alignment with DPDP structural requirements but highlighting systemic gaps

Ablation study:

  • Structured extraction via APLiance outperformed direct prompting with LLMs for difficult attributes (unambiguous consent: 64% vs 52% accuracy)
  • Decomposition of the inference problem reduced ambiguity and improved reliability of compliance evaluation

Implications, Theoretical Contributions, and Future Directions

The ABAC-based formalization in APLiance yields:

  • Greater flexibility and compositionality for encoding legal predicates compared to CI approaches
  • Precise, systematic attribute-level compliance analysis, exposing granular violations for remediation
  • Demonstration of the limitations of LLMs in interpreting ambiguous policy language, emphasizing the need for structured attribute guidance and rule-based evaluation

Practically, the framework enables automated, explainable compliance reporting for privacy policies, supporting regulatory enforcement and user empowerment. Theoretically, the unified representation lays groundwork for extending operational compliance checking to new laws and contexts (cross-national, sectoral), and potentially for legal dispute resolution related to privacy policy violations.

Future work will include:

  • Extending coverage to all DPDP sections and other privacy laws (GDPR, CCPA, HIPAA)
  • Enhancing LLM robustness for capturing implicit policy signals, including multilingual and culturally contextual consent attributes
  • Applying the approach to legal case analysis and organizational compliance monitoring

Conclusion

APLiance provides the first operational, ABAC-driven framework for automated compliance checking of privacy policies under India’s DPDP Act, integrating LLM-based attribute extraction with modular rule evaluation. The methodology demonstrates high accuracy in explicit attribute inference but exposes persistent gaps in ambiguous consent provisions and multilingual accessibility, underscoring areas for organizational reform and future research. The generalizability and compositionality of the approach position it as a foundational tool for scalable privacy law enforcement and explainable compliance systems in AI governance (2604.10832).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.