ABSTRACT
In this chapter, we identify the need for location information in privacy models by analyzing two current privacy laws. Namely, the E.U. Data Privacy Directive and the Health Insurance Portability and Accountability Act (HIPAA) in the United States. By looking at different access control models that provide the means for expressing location restrictions within their policies, we conclude that there is no access control model that simultaneously takes location and privacy into account. As a result we develop the formal location-based access control model - which extends - with obligations, purposes, data access conditions, and consent. We focus on creating a model that is actually implementable without making too many assumptions. For example, the privacy concept of retention is only solvable by means of usage control (Sandhu and Park, 2003) in the mobile context. However, this is a research topic on its own and will therefore not be covered in this chapter.
