Data collaboration and PETs
In today’s world, data is generated in almost every activity we undertake. This data often resides in silos of different organizations, sometimes across jurisdictions. McKinsey estimated that if we were to share and collaborate on this data, $3.000 billion in value could be unlocked. A lot of that value also includes societal benefits, such as better healthcare and more effective crime fighting.
How tempting generating positive impact might be, data sharing initiatives often strand on the cliffs of regulatory compliance. Legislations like GDPR as amplified by court decisions as in the Schrems II case made organizations realize that straightforward data sharing is often very complex to arrange in a compliant manner. And when parties in third countries also involved, sharing is generally considered prohibited.
Equally problematic are use cases of sharing data with organizations in countries with data localization requirements. Russia and China are most known for their national rules that require data being stored on local servers, but there are several other countries who also require certain data types to be stored locally.
Third, one of the most common data transfer scenarios, since the Schrems II decision and the EDPB recommendations on supplemental transfer tools have confirmed, is the use of shared IT systems within international groups of companies.
Certain Privacy Enhancing Technologies (PETs) enable parties, owning different sets of sensitive data, to collaborate on this data in a privacy-preserving and secure manner. They can generate insights without actually sharing their data with each other.
These PETs are based on cryptography and have been developed by academia over the last 40 years. Now, they have become sufficiently mature and affordable for the industry to commercialize their application at scale.
Sharing insights without transferring sensitive data
Roseman Labs, a Dutch start-up company, has developed a solution based on Multi Party Computation (MPC). MPC is one of the strongest and most performant PETs. It combines strong technical measures (processing of encrypted data) with hard-coded segregation of duties. With MPC, data is fragmented into so-called ‘secret shares’, which reside in multiple MPC servers that can jointly execute computations without centralizing the data in a single location. Secret shares are random data, not disclosing anything about the source data. The magic of MPC is that the servers can perform joint calculations on these secret shares, without revealing the source data at any moment in time.
One recently implemented use case involves a public-private partnership between NGOs fighting human trafficking (Sustainable Rescue and other parties that prefer to stay unnamed) and a dedicated team of the Dutch National Police. All parties have data on (potential) victims of human trafficking, yet some of these are informants of the NGOs. The police would want to know who the informants of the NGOs are, as this would allow them to not follow these individuals but focus their resources on others. However, sharing the names of the informants is impossible as both the police and the NGOs must abide their duty of confidentiality. With and on behalf of the public-private partnership, Roseman Labs developed a solution to enable comparison of names under encryption, thereby ensuring that those victims selected by the police are not active informants of the NGOs.
Other applications of Multi Party Computation
MPC provides a powerful way to collaborate on data in a privacy-preserving manner. It enables organizations to collaborate on data even when it cannot, may not or will not be shared otherwise. Such sensitive data processing could relate to, for example, anti-money laundering, anti-trust laws, or data that is not allowed to leave a certain jurisdiction (e.g. due to data localization laws). Example use cases are plentiful, and rapidly emerging in real life:
“Few legal, compliance and data protection officers
are familiar with MPC.”
The legal perspective – what’s different with MPC?
What differentiates MPC? Why is it that organizations can suddenly collaborate on data with MPC, while this was not possible before? How does this work from a legal perspective? It is important to understand that, when using MPC and processing data on secret shares, data is still considered personal data. The secret shares cannot be considered anonymous because the data can be reconstructed to its original form if the majority of all data owners collude. They remain personal data and so privacy regulations such as the GDPR still apply.
That being said, compliance with GDPR regulations becomes easier and more robust. Below we provide examples of typical requirements for dealing with personal data and how they can be enforced through the use of MPC:
Today, few legal, compliance and data protection officers are familiar with MPC, and few tech experts oversee all legal implications. To reap the full benefits of this new technology, knowledge sharing is necessary.
“With modern techniques like MPC, new insights can be gained”
Conclusion
Initiatives to generate value from shared data sets for legitimate purposes often strand because of GDPR compliance concerns. With modern techniques like MPC, new insights can be gained while protecting the source data and its subjects. MPC technology is getting more mature and operational solutions are being implemented right now.
Today, the most obvious fields of applications include: (1) sharing sensitive data beyond what is currently possible, (2) international data transfer of personal data to and from problematic jurisdictions and (3) addressing data-localization restrictions imposed by third country laws.
We believe that the field of application of MPC will evolve far beyond discrete use cases like the case study above. Amongst the most common sharing scenarios are intra-group data sharing for management purposes and the use of so-called blacklists by various organizations that are
unaffiliated. There is much controversy around the use of blacklists: legal obligations to investigate and report suspicious behavior and screen customers are mushrooming, whilst on the other hand there is resistance against the use of central systems with this type of information. The Dutch DPA has granted some licenses for blacklists, but the general rule is that cross-sector exchange of blacklist data is prohibited. Using MPC to create decentralized blacklists may be a solution to reduce unnecessary data sharing without defeating the legitimate purpose behind the blacklist.
There are many other (international) data sharing use cases where MPC could potentially resolve very thorny compliance concerns. We hope
that the legal and tech community will engage on the topic and step up their collaboration to further accelerate the adoption of MPC and other privacy enhancing technologies.
Photo credit: Photo by Markus Spiske on Unsplash