We present a discretionary access control framework that can be used to control a principal?s ability to link information from two or more audit records and compromise a user?s privacy. While the traditional Chinese Wall (CW) access control model is sufficient to enforce this type of unlinkability, in distributed environments CW is inefficient because its semantics requires knowledge of a user?s access history. We propose a restricted version of the CW model in which policies are easy to enforce in a decentralized manner without the need for an access history. Our architecture analyzes system policies for potential linkability conflicts. Users can identify specific threats to their privacy, typically in terms of trusted and untrusted roles in the context of RBAC (role based access control), following which the system attaches automatically generated policy constraints to the audit records. When these constraints are enforced appropriately, they implement unlinkability policies that are provably secure and precise for a fixed protection state. We extend the model with a versioning scheme that can handle evolving protection state, including changing roles and permissions, trading precision to maintain the security of deployed policies.