ICO Publishes Draft New Guidance on PETs

On 7 September 2022, the Information Commissioner’s Office (“ICO”) published draft guidance (“Guidance”) on privacy-enhancing technologies (“PETs”). It is hoped that the Guidance will help organizations have the confidence to utilize PETs to develop innovative applications without compromising on privacy concerns, or trust. The Guidance is divided into two sections: (i) how can PETs help with data protection compliance; and (ii) what are PETs. We consider the key learning points from the Guidance below. 

What are PETs and why is the ICO interested?

PETs are not defined in data protection law, but the European Union Agency for Cybersecurity (“ENISA”) defines them as “systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.” The Guidance provides a more practical explanation of what PETs are – explaining that they are “enablers” that extract data value while providing data security.

The ICO is interested in PETs because, while they are growing in popularity, they are still not routinely used by all businesses. The ICO is keen to encourage uptake and research into the field by providing greater clarity on these technologies.  At the same time, the ICO also seeks to ensure sufficient guidance for organizations on how to use PETs lawfully. Indeed, time is of the essence, given that Gartner, the US consultancy company, predicts that PETs will be adopted by a majority of large organisations by 2025.

The ICO has been clear about the data protection benefits of PETs. These benefits include helping organizations comply with the data protection principles, especially data minimization, purpose limitation and security. PETs are also intrinsically linked to the concept of “data protection by design and default” (Article 25 of the GDPR). This is the idea that data protection should be ‘baked in’ to your processing from the design stage through to the deployment of any technology. PETs can further data protection by providing a means of demonstrating compliance with Article 25 of the GDPR.

What PETs are there?

PETs can broadly be divided into three main categories:

  1. PETs that reduce the identifiability of individuals;
  2. PETs that focus on hiding or shielding data; and
  3. PETs that control access to certain parts of the data.

How can PETs help my business?

While the Guidance sets out many different kinds of PETs, we list below three key technologies and how a business could use them to support data protection:

  • Homomorphic Encryption (“HE”) – this allows you to perform computations on encrypted data without first decrypting it. HE has the potential to support GDPR compliant international data transfers by allowing personal data to be stored and processed outside of the EU but only allowing for decryption on servers in locations that comply with GDPR requirements.
  • Secure Multiparty Computation (“SMPC”) – this is a protocol which allows at least two different parties to jointly perform processing on their combined data, without any party needing to share all of its data with each of the other parties. This could aid e.g., healthcare providers like the  UK’s National Health Service that routinely need to share information with different organisations who are working with their patients.
  • Trusted Execution Environments (“TEEs”) – this is a secure area inside a computing device’s central processing unit. It allows a code to be run and data to be assessed whilst isolating that data from the rest of the system. For example, biometric data on users can be kept separate from non-secure apps and only be used for an agreed purpose e.g., unlocking a user’s phone.

How can PETs be used in a GDPR compliant way?

PETs are not risk free and the Guidance recommends consideration of the following:

  1. undertaking a Data Protection Impact Assessment (“DPIA”) to evaluate whether the use of PETs is appropriate to an organization’s needs. The assessment should take into account the nature, scope, and purposes of processing, as well as the maturity and cost of the PET.
  2. the scalability and complexity of a PET.
  3. the protections the PETs provide and its robustness against attacks and data leakage.

What can we expect from this field in the future?

The Guidance shows that PETs are here to stay – as is regulator’s interest in regulating them. To that end, the ICO presented its work on PETs during the 2022 roundtable of G7 data protection and privacy authorities which took place in Bonn, Germany on 7 – 8 September. The G7 data protection authorities agreed that PETs have great potential but emphasized that regulators, governments and industry must consider them further in the coming months. It will be interesting to see how standards, laws and guidance develop as this multi-party dialogue continues.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.