Navigating Privacy-Enhancing Technologies: Key Takeaways from the Inaugural Meeting of the Global PETs Network

In recent years, privacy-enhancing technologies (PETs) have been an increasingly popular subject on regulators’ and policymakers’ agendas. Whether by issuing guidance about these types of tools (Canada’s Office of the Privacy Commissioner;  United Kingdom’s Information Commissioner’s Office; Organisation for Economic Co-operation and Development), setting up regulatory sandboxes (Singapore’s Personal Data Protection Commission; Colombia’s Superintendence of Industry and Commerce); or creating prize challenges (United States and United Kingdom),¹ regulators are investing resources and energy to better understand, support the deployment, and potentially regulate PETs. 

On June 26, 2023, the Israel Privacy Protection Authority (IPPA) and the Future of Privacy Forum (FPF) brought industry experts, government officials, and academia together in Tel Aviv to discuss experiences and challenges faced towards the adoption of PETs. The in-person event served as the inaugural meeting of an informal Global PETs Network for regulators, providing a platform to discuss the latest developments and projects related to privacy-enhancing technologies among regulators and relevant stakeholders worldwide. 

The inaugural meeting, hereinafter referred to as the “PETs Conference,”  included the presentation of two case studies, a closed roundtable for regulators, and an open discussion with academia and industry experts, with the discussions being held under Chatham House Rule. This blog analyzes the main challenges raised by participants for adequate implementation of privacy-enhancing technologies, as well as the main takeaways of the discussions.

PETs: an evolving concept gaining increasing attention 

As technological developments increase the collection and exchange of personal data across jurisdictions and organizations, privacy-enhancing technologies can help by providing greater security, confidentiality, and protection of personal data. There are several types of PETs, which may be classified based on their functionality. For instance, some tools obfuscate and hide information (i.e., anonymization, synthetic data, differential privacy), other technologies allow for computations on encrypted data (i.e., homomorphic encryption, secure multi-party computation), while others facilitate the training of models without transferring and sharing data to a local server (i.e., federated learning). 

Although PETs have received heightened attention from authorities in recent years through different policies and initiatives, the concept is not new. As a term of reference, PETs were first introduced by the predecessor of the Dutch Data Protection Authority and the Information and Privacy Commissioner in Ontario back in 1995, through a joint report that sought to demonstrate that identity-protective elements might be included in the design of information technology systems.²

Ever since, interest in PETs has increased not only through extensive research but also in practice. For instance, federated learning and multi-party computation have proven to be useful when feeding machine learning models with on-device user data to improve digital services and products, without transferring the data to a central server. Public and private sector players use differential privacy to protect identities and privacy of people when publishing large sets of data

While governments and organizations seem to acknowledge the potential benefits of PETs, significant challenges to their effective deployment remain. Some of these challenges include the lack of maturity and high costs associated with some of these technologies, as well as an apparent lack of communication between experts and regulators, resulting in limited regulatory guidance and understanding about the benefits, limitations, and use cases of PETs. 

1. Collaboration and a greater understanding of PETs are essential

For some jurisdictions, privacy-enhancing technologies are still seen as a new and complex subject by regulators and companies alike. In that sense, educational resources and guidance can help translate the benefits and limitations of these tools. Although PETs may be encapsulated in one general concept, they differ in technical capabilities and usability. During the PETs Conference, participants praised efforts by regulators and international organizations to conceptualize the functionality and use cases of these technologies and tools. These studies include the United Kingdom’s Information Commissioner’s Office (ICO) recently published “PETs Guidance”, as well as the OECD’s 2023 Report on “Emerging Privacy-Enhancing Technologies.” 

These efforts are a starting point for greater understanding and certainty about the role of PETs in protecting personal information and privacy, which can lead to more detailed guidance and initiatives. During the meeting, authorities advocated for increased communication and collaboration to advance the understanding of PETs. This not only refers to collaboration for new projects and initiatives but also to leveraging useful and already available information to provide greater guidance and certainty to the industry. For instance, authorities could translate and disseminate available guidance by foreign authorities to their own official languages, where useful, or build their own guidance from previous documents. This kind of exercise can be helpful in providing guidance to the industry faster and in building capacity and technical knowledge within agencies.  

2. Regulatory certainty is necessary to boost the adoption of PETs

Secondly, regulatory guidance can provide greater certainty for the deployment and adoption of PETs. During the open discussion with industry stakeholders, some participants indicated that more certainty on regulators’ perceptions of these tools can spur the innovation and deployment of privacy-enhancing technologies. In the long term, guidance can also manifest through metrics to evaluate the success and risks associated with some of the tools.

While some organizations might recognize the value of these tools to offer more privacy-preserving products, barriers to their implementation – such as high investments in time and resources, technical expertise, lack of maturity, and information asymmetries between developers and potential buyers – are a major factor in deciding whether to invest in these tools. However, if these technologies provide an opportunity for more privacy-preserving products and services, regulators should make efforts to ensure that most organizations consider the implementation or integration of PETs, when possible. Authorities have an important role in building trust in the digital ecosystem by providing greater certainty regarding how privacy-enhancing technologies can ensure the protection of personal information. 

Importantly, data protection authorities have a special task in identifying how PETs overlap with data protection principles and how these technologies could potentially complement data protection compliance systems. Providing greater certainty in this regard could be definitive to some organizations’ decisions regarding investment and adoption of privacy-enhancing technologies.

Later on in the open discussion, industry representatives highlighted the importance of noticing the dynamics and different incentives created by PETs. In providing guidance and regulatory certainty, authorities should consider that privacy-enhancing technologies can benefit different parties across the chain of data utilization, particularly in cases where a certain technique enables data-sharing across multiple organizations. In this sense, regulators could consider economic and behavioral incentives to foster collaboration between organizations and public institutions.

3. The adoption of PETs requires constant evaluation and review of potential detrimental market outcomes 

Regulators and industry participants agreed on the merit of setting standards and certification programs as a viable way to generate more trust in the use and deployment of PETs across organizations. However, they also agreed that regulation and guidance are necessary to ensure the adequate implementation of standards. Importantly, regulators still have an important role in assessing whether standardized tools will be sufficient to comply with data protection regulations, and if additional measures are required to integrate data protection and privacy throughout organizations.

Finally, due to the high costs associated with some PETs, regulators should be cautious of potential barriers to competition that might arise from the deployment of these technologies. If PETs start to be actively promoted within digital services and products, centering privacy as a key market value, regulators must consider that certain companies might be able to get a competitive advantage through the early development and deployment of PETs. To avoid additional market deficiencies caused by privacy-enhancing technologies, regulators have an important task at hand in attempting to strike a balance between privacy and competition concerns. 

Conclusion

Regulators, academia, and industry experts seem to agree that further study and understanding of the potential benefits and limitations of privacy-enhancing technologies is necessary. Importantly, if PETs are part of the solution towards privacy-enhanced products and services in the digital ecosystem, regulators must strengthen their efforts to achieve their adequate deployment. Particularly, data protection authorities must indicate the extent to which privacy-enhancing technologies align with data protection and privacy frameworks and should evaluate whether their implementation is enough, or if additional measures are necessary. This assessment requires greater communication and collaboration between regulators, academia, and industry.

Importantly, more regulatory certainty on whether and how organizations should deploy PETs is essential. PETs already face intrinsic barriers to their adoption because they require technical expertise within organizations and are costly to adopt. Regulatory certainty plays an important role in tackling these challenges by providing greater transparency and knowledge about PETs, as well as the technology’s relation to data protection compliance. Regulators and data protection authorities, in particular, should focus on providing more information about the potential of PETs and provide metrics to assess their effectiveness or risks, if possible. 

Finally, while PETs can help build more privacy and trust in the digital ecosystem, it is important to note that they are not a fail-safe solution. Authorities and organizations should keep core data protection principles in mind and supplement these technical tools with other organizational and administrative measures. 

¹The US-UK PETs Prize Challenge was led by the U.K.’s Centre for Data Ethics and Innovation (CDEI) and Innovate UK, the U.S. National Institute of Standards and Technology (NIST), and the U.S. National Science Foundation (NSF), in cooperation with the White House Office of Science and Technology Policy.

²See: Hes, R. & Borking, John. (1995). Privacy-Enhancing Technologies: The Path to Anonymity. https://www.researchgate.net/publication/243777645_Privacy-Enhancing_Technologies_The_Path_to_Anonymity#pf14