Software systems that share potentially sensitive data are subjected to laws, regulations, policies and/or contracts. The monitoring, control and enforcement processes applied to these systems are currently to a large extent manual, which we rather automate by embedding the processes as dedicated and adaptable software services in order to improve efficiency and effectiveness. This approach requires such regulatory services to be closely aligned with a formal description of the relevant norms.

This paper presents eflint, a domain-specific language developed for formalizing norms. The theoretical foundations of the language are found in transition systems and in Hohfeld’s framework of legal fundamental conceptions. The language can be used to formalize norms from a large variety of sources. The resulting specifications are executable and support several forms of reasoning such as automatic case assessment, manual exploration and simulation. Moreover, the specifications can be used to develop regulatory services for several types of monitoring, control and enforcement. The language is evaluated through a case study formalizing articles 6(1)(a) and 16 of the General Data Protection Regulation (GDPR). A prototype implementation of eflint is discussed and is available online.

Normative modeling, Domain-specific language, Policy enforcement, GDPR, Executable specifications
dx.doi.org/10.1145/3425898.3426958
ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences
Software Analysis and Transformation

van Binsbergen, L.T, Liu, L.-C, van Doesburg, R., & van Engers, T. (2020). eFLINT: a domain-specific language for executable norm specifications. In Proceedings of the ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences. doi:10.1145/3425898.3426958