In this talk, I will present some work in progress on using IFC principles for enforcing GDPR-style privacy principles. Privacy legislation such as the GDPR specifies legal requirements for protecting the private data of individuals but remains vague about how to implement such requirements in practice. Traditional security mechanisms such as cryptography or access control are blunt instruments for this job since they typically cannot distinguish between intended and inappropriate usage of private data. To complement them, I propose a programming language-based framework that uses IFC mechanisms to enforce privacy principles such as purpose limitation and data minimization. I will start by illustrating how these principles are ultimately about information flow and how they can be integrated in existing IFC frameworks. I’ll then sketch a simple type system for tracking secure and private information flow.