Chinamyi Baramashetru is visiting SQUARE. In this SQUARE talk, Chinamyi will present her work on a type system for privacy-aware programming, focusing on enforcing GDPR-style consent and data-flow constraints through a combination of static typing and runtime checks.
SPEAKER: Chinamyi Baramashetru, Postdoc at University of Kent, UK.
Abstract: Data protection laws such as GDPR aim to give users unprecedented control over their personal data, but compliance requires precise reasoning about how data flows between entities and under which consent conditions it may be processed. Although privacy-by-design is widely promoted, mainstream programming languages provide little support for enforcing such requirements, and their enforcement mechanisms remain unclear. To address this gap, we propose a language-based approach to privacy-aware programming that integrates privacy constraints into the type structure of programs. Our framework combines static typing with targeted runtime checks in an active object language. A type-and-inference system tracks authorised data flows and consent-sensitive usage through structured tag annotations that propagate and compose across expressions. Typing generates privacy constraints that are checked at selected scheduling points, resulting in a hybrid static–dynamic enforcement model that reduces runtime checks while preserving compliance guarantees.
We formalise the framework with a typed operational semantics and prove soundness, ensuring that well-typed programs respect dynamic consent, purpose limitations, and authorised data use. Our approach supports key GDPR requirements, including consent management, purpose limitation, and data subject rights. This work shows how type systems can provide a principled foundation for privacy-by-design and regulatory compliance in privacy-critical domains.