This document proposes a new approach called two layer encryption (TLE) to delegate fine-grained access control enforcement to public clouds while preserving data and user privacy. Under TLE, the data owner performs coarse-grained encryption and the cloud performs fine-grained re-encryption based on access control policies. This addresses limitations of existing approaches where the data owner must re-encrypt data whenever user credentials change. The TLE approach also keeps user identity attributes and data confidential from the cloud.