This document discusses privacy-preserving access control for data stored in public clouds. It proposes a two-layer encryption approach where the data owner performs coarse-grained encryption and the cloud performs fine-grained encryption based on access control policies. This delegates access control enforcement to the cloud while preserving data confidentiality and user privacy. Existing single-layer encryption approaches burden the data owner with all encryption tasks. The two-layer approach more efficiently handles policy and user changes by only updating the outer encryption layer at the cloud.