On the Semantics of Purpose Requirements in Privacy Policies

Privacy policies often place requirements on the purposes for which a governed entity may use personal information. For example, regulations, such as HIPAA, require that hospital employees use medical information for only certain purposes, such as treatment. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose requirements to determine whether an action is for a purpose or not. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes, which exclude redundant actions for a formal definition of redundant. We use the model to formalize when a sequence of actions is only for or not for a purpose. This semantics enables us to provide an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods.

💡 Research Summary

Privacy regulations such as HIPAA and GDPR require that personal data be used only for explicitly stated purposes. Enforcing these “purpose” constraints automatically is difficult because auditors can observe only the actions taken, not the underlying intent. This paper proposes a formal semantics for purpose requirements based on planning theory. The authors model a data‑handling entity as a rational agent that selects actions to achieve one or more goals. They represent the environment and the agent’s interaction with it as a modified Markov Decision Process (MDP) where the reward function measures the degree of satisfaction of a particular purpose.

A central contribution is the definition of non‑redundancy for actions within a plan. An action is non‑redundant if removing it from a sequence prevents the goal from being achieved; otherwise it is redundant. This notion, borrowed from causal semantics, is weaker than strict necessity but serves as a practical criterion for auditors: a non‑redundant action can be considered “for” the purpose in question. The paper distinguishes two classes of purpose requirements: (1) prohibitive (not‑for), which forbid any use of data for a certain purpose, and (2) restrictive (only‑for), which allow use only for a predefined list of purposes.

To decide whether an observed action sequence complies with a policy, the auditor first constructs an MDP that captures the relevant purpose as the reward. The auditor then enumerates all optimal plans (according to the non‑redundancy‑enhanced optimality criterion) for that MDP. If the observed sequence can be embedded in at least one optimal plan, the actions are deemed to be “for” the purpose; otherwise they constitute a violation. The authors present an algorithm that (a) builds the set of all permissible behaviors from the policy, (b) matches the audit log against this set, and (c) applies the non‑redundancy test to infer purpose attribution.

The paper illustrates the approach with a medical example: a physician transmitting a patient’s record to a private practice. By modeling “treatment” as the reward, the auditor can determine whether the transmission could belong to any optimal treatment plan. If not, the transmission is flagged as non‑compliant with HIPAA. The authors also discuss scenarios with multiple concurrent purposes, showing how an action may be non‑redundant for one purpose while redundant for another, and how conflicts can be resolved within the same formalism.

Compared with prior work, which typically assumes that actions are already labeled with purposes or relies on informal intuition, this research provides a label‑free, mathematically grounded method. It subsumes earlier techniques as special cases and offers a clearer measure of expressiveness and accuracy. Limitations include the difficulty of accurately modeling human planning, the potential explosion of state‑action spaces, and challenges in quantifying “soft” purposes such as marketing. The authors suggest future extensions involving richer cognitive planning models, reinforcement‑learning based purpose inference, and scalable algorithms for large audit logs.

Overall, the paper delivers a novel semantics for purpose requirements, a concrete auditing algorithm, and a comparative analysis that together advance the state of the art in automated privacy‑policy compliance verification.