Enforcing data protection legislation in Web data services
First Claim
1. A method for enforcing multiple countries'"'"' or/and entities'"'"' data protection rules in a Web service, said Web service maintaining a dynamic list of countries or/and entities that have been recognized for adequate data protection and maintaining a set of identification parameters for each registered data recipients, said method comprising the steps of:
- formalizing data protection rules for each country or entity into specifications, each of said specifications being treated as a configuration file;
enforcing a first set of data protection rules while collecting personal data from users;
wherein said step of enforcing a first set of data protection rules further comprises the steps of;
creating a document object model (DOM) tree from a given XML form template;
identifying a total list of nodes in said DOM tree that contain a tag for data collection;
identifying a list of policy statements in a formal specification of a data protection rule;
constructing a sub-list of said total list of nodes that should be removed from said DOM tree according to said list of policy statements;
removing all DOM trees with root node included in said sub-list; and
exporting the remaining DOM tree into text format;
enforcing a second set of data protection rules while transferring personal data; and
enforcing a third set of data protection rules while processing personal data collected from users.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for enabling Web services to enforce multiple countries'"'"' data protection laws and regulations during data collection, data processing storage and data transfer. The system maintains a dynamic list of countries or entities that have been recognized for their adequate data protection. A data collection form is provided that takes into consideration data protection laws of the sovereign in which the form is being filled out. The system prohibits the transfer of personal data in contravention of a local sovereign'"'"'s data protection laws.
-
Citations
25 Claims
-
1. A method for enforcing multiple countries'"'"' or/and entities'"'"' data protection rules in a Web service, said Web service maintaining a dynamic list of countries or/and entities that have been recognized for adequate data protection and maintaining a set of identification parameters for each registered data recipients, said method comprising the steps of:
-
formalizing data protection rules for each country or entity into specifications, each of said specifications being treated as a configuration file; enforcing a first set of data protection rules while collecting personal data from users; wherein said step of enforcing a first set of data protection rules further comprises the steps of; creating a document object model (DOM) tree from a given XML form template; identifying a total list of nodes in said DOM tree that contain a tag for data collection; identifying a list of policy statements in a formal specification of a data protection rule; constructing a sub-list of said total list of nodes that should be removed from said DOM tree according to said list of policy statements; removing all DOM trees with root node included in said sub-list; and exporting the remaining DOM tree into text format; enforcing a second set of data protection rules while transferring personal data; and enforcing a third set of data protection rules while processing personal data collected from users. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a Web service which maintains a dynamic list of countries or/and entities that have been recognized for adequate data protection, wherein data protection rules for each country or entity are formally specified, and wherein data recipients have registered with said Web service a set of identification parameters, a method for enforcing multiple countries'"'"' or/and entities'"'"' data protection rules while collecting personal data, comprising the steps of:
-
enforcing a first set of data protection rules while processing personal data collected from users; and enforcing a second set of data protection rules while transferring personal data; wherein said step of collecting comprises a third set of data protection rules comprising the steps of; creating a document object model (DOM) tree from a given XML form template; identifying a total list of nodes in said DOM tree that contain a tag for data collection; identifying a list of policy statements in a formal specification of a data protection rule; constructing a sub-list of said total list of nodes that should be removed from said DOM tree according to said list of policy statements; removing all DOM trees with root node included in said sub-list; and exporting the remaining DOM tree into text format. - View Dependent Claims (7, 8)
-
-
9. In a Web service which maintains a dynamic list of countries or/and entities that have been recognized for adequate data protection, wherein data protection miss for each country or entity are formally specified, and wherein all data recipients have registered with said Web service a set of identification parameters, a method for enforcing multiple countries'"'"' or/and entities'"'"' data protection rules while transferring personal data, comprising the steps of:
-
enforcing a first set of data protection rules while collecting personal data from users; wherein said step of transferring comprises a second set of data protection rules comprising the steps of; identifying a set of data entries included in a data recipient'"'"'s request; applying a configuration criterion to compute a corresponding set of data patterns for said set of data entries; computing the legal values of said set of data patterns; applying an access control list (ACL) for data transfer to determine whether said request should be accepted or denied; and recording said request and result status in a log database; and enforcing a third set of data protection rules while processing personal data collected from users. - View Dependent Claims (10, 11)
-
-
12. In a Web service which maintains a dynamic list of countries or/and entities that have been recognized for adequate data protection, wherein data protection rules for each country or entity are formally specified, and wherein all data recipients have registered with said Web service a set of identification parameters, a method for enforcing multiple country'"'"'s or/and entities'"'"' data protection rules while processing personal data, comprising the steps of:
-
enforcing a first set of data protection rules while collecting personal data from users; and enforcing a second set of data protection rules while transferring personal data; wherein said step of processing comprises a third set of data protection rules comprising the steps of; identifying a set of data entries included in a data recipient'"'"'s request; applying a configuration criterion to compute a corresponding set of data patterns for said set of data entries; computing the legal values of said set of data patterns; and applying an access control list (AOL) for data processing to determine whether said request should be accepted or denied. - View Dependent Claims (13)
-
-
14. In a Web service which maintains a dynamic list of countries or/and entities that have been recognized for adequate data protection, wherein data recipients have registered with said Web service a set of identification parameters, an apparatus for enforcing multiple countries'"'"' or/and entities'"'"' data protection rules comprising:
-
means for formalizing data protection rules for each country or entity into specifications, each of said specifications being treated as a configuration file; means for enforcing a first set of data protection rules while collecting personal data from users; means for enforcing a second set of data protection rules while transferring personal data; and means for enforcing a third set of data protection rules while processing personal data collected from users. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. An apparatus for providing Web service that supports enforcement of data protection rules of multiple countries or/and entities, comprising:
-
means for registering each data requester'"'"'s identification information; means for maintaining a dynamic list of countries and entities that have been recognized for adequate data protection; a set of formalized specifications of data protection rules, each of said specification being treated as a configuration file; means for enforcing a first set of data protection rules on collecting personal data; means for enforcing a second set of data protection rules on data transfer; means for enforcing a third set of data protection rules on data processing; and means for deciding which country or entity'"'"'s data protection rule to be applied. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification