Why Secure Multi-Party Computation (MPC) is no magic wand, but it is a game-changer.

Law enforcement agencies and their partners face a paradox: effective crime prevention and investigation require exchanging information, yet every personal data point creates privacy risk. Privacy-Enhancing Technologies (PETs) - and in particular Secure Multi-Party Computation (MPC) - promise to partially resolve that dilemma. A whitepaper by Pels Rijcken [1] maps out the legal analysis, the positive privacy impact MPC creates and where the limits are. Below we translate these findings into the practice of law enforcement cooperation.

MPC limits visibility of raw data, but it is still processing 

MPC enables multiple parties to collaborate on (sensitive) data, without revealing that data. It encrypts data at the source and then performs analyses on that data while it remains encrypted. This sounds magical but is based on solid cryptographic foundations that go back to the 1980s. [2]

The first important insight is that privacy frameworks still apply. Because calculations run on encrypted data, partners cannot view each other’s source data, which is a big plus for privacy. Nevertheless, and this is a very good thing, processing with MPC falls under the GDPR or the Police Data Act (e.g. Wpg in The Netherlands) for law enforcement data. Think of it like this: MPC improves privacy during processing, but the encryption at the source or sharing outcomes to an analyst can still be very sensitive.

'Data minimisation' gets real meaning 

The experts in the paper agree that by protecting data during processing with MPC, parties effectively implement data minimisation (see page 32 of the paper). MPC offers a solution to only reveal the information that is necessary for a specific purpose. For example, if a risk score is the key insight, the entire underlying files or dossiers do not need to be disclosed to get to this insight. This gives concrete effect to the principles of data minimisation and privacy by design & default.

Duty of confidentiality & purpose limitation 

So how does the adoption of MPC impact a legal review? First, a new data processing activity is lawful only if 1) there is a specific legal basis, 2) the data subject has given explicit consent, or 3) the newly intended processing is compatible with the original purpose of collecting the data (in Dutch: “verenigbaar doel”; see page 18 of the paper).

The whitepaper lists factors that help demonstrate compatibility. [3] For example: working privacy-by-design and strictly limiting impact on citizens. This is not black and white and always use-case specific. The paper states (p. 20): “Even if some of the above factors are met, there may be compatible further processing.” Here lies the heart of the legal analysis: Based on the use-case specific circumstances, you want to thoroughly evaluate compatibility with the original purpose – balancing the list of factors - whether MPC-based data sharing meets proportionality and purpose-limitation thresholds.

Powerful in case of anonymous or aggregated outputs 

Sector-specific confidentiality duties (e.g. tax secrecy, medical privilege) lapse only when the impact on the individual is “negligible.” According to the paper, MPC can help organizations reach that threshold, provided that the results are truly anonymised or aggregated.

Accountability is key, particularly in the case of automated decision-making 

Every data supplier remains a (joint) controller; the party hosting the MPC platform is a processor. That means you need joint-controller arrangements (per Art. 26 GDPR / 27 Wpg and data processing agreements with the service provider(s). Hence, clear accountability therefore remains essential.

If MPC output drives decisions with legal effects or a “significant” impact, the safeguards of Art. 22 GDPR and the Police Data Act-equivalents apply: transparency, human oversight, and the right to contest. Therefor, ethical and governance concerns remain a crucial factor in setting up a new data collaboration that impacts individuals.

Even with strong data minimization and proportionality, authorities must act carefully and with sound justification. Technology can never replace the proportionality test.

Conclusion 

The paper offers legal context and practical tips to get started with the application of MPC in law enforcement. We second these tips and highlight a few:

• Engage privacy officers & security experts early.
• Describe the collaboration scenario as specifically as possible; this is the foundation on which the legal team needs to base its analysis.
• Conduct a dedicated DPIA with an MPC-lens; and involve experts with understanding of the technology (to understand the residual risks).
• And, start a collaboration with aggregated-level outputs—for example, mapping the nature and scale of a crime problem. This enables you to build your understanding early and gather feedback.

Secure Multi-Party Computation is a powerful lever for reducing privacy risks. A solid legal basis, clear role agreements, and thorough legal analysis remain indispensable. However, those who use MPC robustly can work better in a data-driven manner without losing sight of confidentiality and fundamental rights.

Toon Segers, Co-Founder & Sales Director National Security at Roseman Labs

Footnotes 

[1] White paper: “Privacy-Enhancing Technologies – Secure Multi-Party Computation in the Public Sector” (Pels Rijcken). (link)

[2] Wikipedia page of Secure Multi-Party Computation: https://en.wikipedia.org/wiki/Secure_multi-party_computation

[3] See section 5.3 of the whitepaper (link, p. 20) lists seven factors for assessing whether an MPC analysis is compatible under Art. 6(4) GDPR: (a) no explicit confidentiality duty is breached; (b) the new purpose is closely aligned with the original; (c) the processing is reasonably foreseeable for data subjects; (d) no sensitive personal data are involved; (e) the analysis is not aimed at identifying individuals; (f) the outcome has no or only limited (legal) effects on data subjects; and (g) strong pseudo-/anonymisation plus extra technical and organisational controls are in place. The list is not exhaustive: a balanced DPIA can still find compatibility if only some factors score positively—or require a specific legal basis if they score negatively. In that sense, the factors act as an analysis-framework for deciding whether MPC-based data sharing meets proportionality and purpose-limitation thresholds.