This overview talk tackles the problem of specifying, monitoring and enforcing data usage requirements of the kind, “print my email at most twice,” “notify me upon dissemination of my address,” “no more than three copies of a confidential document in the company,” “delete all copies of a movie within thirty days,” “keep financial record for five years,” and the like.We discuss typical policies as well as an enforcement infrastructure that can act both after the fact, for accountability purposes, and preventively. It builds on two main ideas. First, requirements come at various levels of abstraction: prohibiting screenshots, writing files, playing songs, and copying database rows can most conveniently observed and controlled by monitors at different layers of a system: window manager, operating system, application, database. Second, when data is to be protected, usually all of its representations are meant to be protected: a picture comes as network packets, pix map, cache file, Java object. This requires information flow tracking technology across the layers of a system and across systems.We will conclude with a discussion on the circumstances under which such an infrastructure seems desirable.