A user case from the Netherlands under the aegis of the Data Sharing Coalition brings positive news for those grappling with data sharing challenges. Private, public and the civil sector actors collaborated in a project that was based on cross-domain data sharing for the purpose of pre- venting and monitoring human trafficking. In this case, information obtained by law enforcement agencies of victims of forced prostitution was processed together with information from victims obtained by NGOs. The Sustainable Rescue Foundation (an NGO), Roseman Labs and others worked with privacy experts at Pinsent Masons to develop a system based on MPC (Multi-Party Computation) technology to help overcome the privacy law challenges so that sensitive data could be processed in confidence.
The main challenge in this use case was to enable collaboration between the parties without having to share sensitive personal data. The law enforcement agency has a list of names of individuals who are potentially engaged in criminal activities. A small number of people are put under observation. The NGO’s also hold a list of names — that is those of the informants - and wants to ensure that none of the informants are put under observation by the law enforcement agency. How can the parties achieve this, if they are unwilling (or, not allowed) to share these lists with each other? An additional complexity is that not all names are spelled correctly.
MPC is based on four decades of academic research in theoretical cryptography. It enables several participants to perform a computation on their joint input data, while their inputs remain mutually private (the input from each participant remains secret to all other participants), and without involving a trusted third party. “In theory, MPC technology has been available for quite some time,” Andre Walter, Head of Data Law Solutions at Pinsent Masons Netherlands said. “It is not just about encrypting data but about the ability to process encrypted data without lifting the encryption at any moment in time”.
In this user case, Roseman Labs, a high-tech software company that enables organisations to collaborate on privacy sensitive data through MPC, ran the process on encrypted data in real time. The process mitigates the risks because no personal data is exposed. Only the end result, in this case a short list for the law enforcement agency is revealed to the agency.
Ian Wachters, Commercial Officer at Roseman Labs, explained that each bit of data is divided into separate signifiers (numbers) which will reconstruct the information only if put together. The data is held on three separate servers and no one has access to these three servers in parallel.
“MPC is the most powerful privacy enhancing technology that is avail- able,” Wachters said. “The technology is now at a tipping point of being practical because of recent mathematical innovations and faster computers and networks. It can therefore now be applied to everyday problems.”
But given that the technology is not something you come across every day, how were the NGOs convinced that their users’ data would be safe? “We explained the process thoroughly. Then Roseman Labs assisted the organisations in running an ‘MPC ceremony’: three laptops, located at three different cities in the Netherlands, ran Roseman Labs’ MPC proto- col over the Internet, ” Walter said. Each laptop was provided with a list of the individuals’ data the organisation had in that city. A Roseman Labs person assisted the organisation during execution of the protocol.
“User trust is paramount and it is very important that all concerned are kept informed,” Walter said.
“Although under a strict interpretation of GDPR the encrypted data is still not considered anonymous, MPC provides a tremendous help in complying with GDPR principles such as purpose limitation and data minimisation” Walter said.
The outcome of an MPC ceremony is defined beforehand, and that way the algorithm, and with it the processing of the data, is run to achieve only the envisioned purpose.
In terms of data minimization, all data provided by the participating parties is encrypted at the source and hence not visible to anybody else during the process. Only the end result is revealed, and only to the designated party. MPC therefore enables collaboration where parties would not previously have trusted each other.
“MPC does not try to avoid the GDPR but can be used to enhance compliance. We take the same strict view as the Netherlands’ DPA (Data Protection Authority) — encrypted data is not anonymous data as it can be reconstructed. Therefore, the GDPR still applies,” Wachters said. MPC
technology makes possible processes that previously were not because the parties would not trust each other. Now when using MPC technology, they do.
EU DPAs acknowledge that technical measures may supplement other safeguards for data transfers to third countries, and they say that new technologies may still emerge.
The European Data Protection Board said in its 21 June 2021 guidance on international transfers that as a supplementary measure to a data transfer, split or multi-party processing is acceptable. Its use case (number 5 in annex 2) proposes the following scenario:
“The data exporter wishes personal data to be processed jointly by two or more independent processors located in different jurisdictions without dis- closing the content of the data to them. Prior to transmission, it splits the data in such a way that no part an individual processor
receives suffices to reconstruct the personal data in whole or in part. The data exporter receives the result of the processing from each of the processors independently, and merges the pieces received to arrive at the final result which may constitute personal or aggregated data.”
Multi-party computation can be used as a technical supplementary measure if there is no evidence of collaboration between the public authorities located in the respective jurisdictions, the DPAs say.
MPC solutions are ready to be used commercially. In fact, big players such as Coinbase and PayPal are already deploying MPC where they need extra security and privacy for cryptographic key management.
Rosie Nance, Practice Development Lawyer at Pinsent Masons said she is very excited about the technology’s potential to overcome challenges around Schrems II, data localisation laws, and other restrictions around sharing certain types of data. “The solution could enable collaboration and data sharing that would otherwise not be possible due to strict data localisation laws, Schrems II, local restrictions around data used for purposes like law enforcement, or a combination of all three of these factors. As lawyers based in the EU or UK, shifting processing to the EU or UK might seem like a solution to the challenges that arise on projects requiring international data sharing — and that would generally address Schrems II concerns. However, global organisations face complex and sometimes conflicting compliance requirements, and that would only deal with one piece of the puzzle.”
Nance foresees potential for further application of the technology in the financial sector, particularly in fraud prevention. Wachters agrees: “Anti- money laundering is a good example. If a bank only monitors their own trans- actions, it may not get a clear picture of what is happening. With the help of MPC, it can work with other collaborators to flag those that fulfil fraudulent criteria. Those transactions will then be looked at but only within that organisation — so data is not shared with third parties.”
Similarly, MPC technology could aid insurance companies to share their loss data in a privacy friendly way in order to better understand risk profiles, Wachters said. Other potential uses could be found in marketing. For example, two retailers with different product categories but
both running loyalty schemes could understand their consumers’ behaviour better as micro- segments can be created without actually sharing personal data.
MPC can also be used in the health sector and Wachters says this is very much a focus of Roseman Labs. The technology becomes useful when different health providers need to collaborate but data cannot be shared due to compliance reasons. For example, several hospitals can collaborate in a clinical study without revealing patient records to each other, and only reveal the conclusions of the study. Another question is how this technology could be explained to patients in a health system context, as the use of MPC would most likely require their informed consent.
Other possible uses could be in genetic testing to let people check their own genetic profile, or keeping bids private in sealed-bid auctions. Roseman Labs stresses that MPC provides both the strongest technical and organisation safeguards as required under the GDPR. However,
MPC will not solve every compliance challenge around sharing personal data: “MPC is not a silver bullet but it provides some legal certainty for data used for these types of data collaborations,” Walter said. “Now that the EU Data Governance Act is about to be adopted, there will be increased pressures for data sharing and this needs to take place in a secure environment.”