One of the ground-breaking insights in the UN and EC studies is that the data is considered “anonymous” after the initial encryption step, officially referred to as “secret-sharing” step.
Processing personal data with MPC is not considered “data processing” under the GDPR. This is because MPC provides uniquely strong security and privacy features to data owners.
The fact that data remains encrypted during a business process is a significant paradigm shift versus today’s use of data.
MPC also provides a significant level of protection: to steal or leak data, a malicious actor needs to compromise the admin keys of multiple trustees (this can be compared to protection by two-factor authentication or segregation of duties).
The output of the initial encryption step (the “secret-shares” used during the operation) are considered non-personal data.
As we will see below, legal experts explain that operations done on the secret-shared data is not considered processing of personal data due to MPC’s unique data protection
“One of the first significant precedents for secure multiparty computation was reached in Estonia with the Private Statistics project in 2015. In the project, 10 million identifiable tax records
were linked with 600 000 identifiable education records and statistically analysed using secure multiparty computation. The Data Protection Agency, after studying the technical and organisational controls of the system, stated that no personal data was processed.
The precedent has also been upheld with the MPC servers hosted in the public cloud.
The PRACTICE project (European Commission Framework Programme 7) spent significant effort in analysing legal aspects of secure computing technologies. The report studies the Estonian precedent described above under the European General Data Protection (GDPR) regulation
and finds that precedent can be upheld under the GDPR.
Further research has been performed by the SafeCloud project and SODA project.”
See UN Handbook on Privacy Preserving Computation Techniques, page 47.
Also see EU Horizon 2020 PRACTICE, Deliverable
D32.3, Section 3.2.
“The fact that the data fragmentation procedure [secret-sharing step] as such is processing of personal data does not mean that the output data has to fall under the scope of the GDPR. On the contrary, based on the arguments put forward here the data shards that have undergone the partitioning are considered to be non-personal data.”
“If personal data is turned into non-personal data, then the subsequent storage of the data pieces should not be considered ‘data processing’ within the frames of Art. 4 Nr. 2 and the data protection provisions in general. Following this logic, the analytics carried out using MPC shall be considered as analysis carried out with feature data.”
“As to the technical details, structure and design of the processing, MPC is a state-of the-art privacy preserving tool. The cryptographic solutions in use protect the data from intruders during the analysis. Intruders in this sense mean unauthorised external adversaries not intended to have access to the anonymised data.”
See EU Horizon2020 SODA, Deliverable
D3.5, Section 3.