Oct 62022

ICO Publishes Draft New Guidance on PETs

William RM Long, Subhalakshmi Kumar and Eleanor Oates
, , ,

On 7 September 2022, the Information Commissioner’s Office (“ICO”) published draft guidance (“Guidance”) on privacy-enhancing technologies (“PETs”). It is hoped that the Guidance will help organizations have the confidence to utilize PETs to develop innovative applications without compromising on privacy concerns, or trust. The Guidance is divided into two sections: (i) how can PETs help with data protection compliance; and (ii) what are PETs. We consider the key learning points from the Guidance below. 

What are PETs and why is the ICO interested?

PETs are not defined in data protection law, but the European Union Agency for Cybersecurity (“ENISA”) defines them as “systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.” The Guidance provides a more practical explanation of what PETs are – explaining that they are “enablers” that extract data value while providing data security.

The ICO is interested in PETs because, while they are growing in popularity, they are still not routinely used by all businesses. The ICO is keen to encourage uptake and research into the field by providing greater clarity on these technologies.  At the same time, the ICO also seeks to ensure sufficient guidance for organizations on how to use PETs lawfully. Indeed, time is of the essence, given that Gartner, the US consultancy company, predicts that PETs will be adopted by a majority of large organisations by 2025.

The ICO has been clear about the data protection benefits of PETs. These benefits include helping organizations comply with the data protection principles, especially data minimization, purpose limitation and security. PETs are also intrinsically linked to the concept of “data protection by design and default” (Article 25 of the GDPR). This is the idea that data protection should be ‘baked in’ to your processing from the design stage through to the deployment of any technology. PETs can further data protection by providing a means of demonstrating compliance with Article 25 of the GDPR.

What PETs are there?

PETs can broadly be divided into three main categories:

  1. PETs that reduce the identifiability of individuals;
  2. PETs that focus on hiding or shielding data; and
  3. PETs that control access to certain parts of the data.

How can PETs help my business?

While the Guidance sets out many different kinds of PETs, we list below three key technologies and how a business could use them to support data protection:

  • Homomorphic Encryption (“HE”) – this allows you to perform computations on encrypted data without first decrypting it. HE has the potential to support GDPR compliant international data transfers by allowing personal data to be stored and processed outside of the EU but only allowing for decryption on servers in locations that comply with GDPR requirements.
  • Secure Multiparty Computation (“SMPC”) – this is a protocol which allows at least two different parties to jointly perform processing on their combined data, without any party needing to share all of its data with each of the other parties. This could aid e.g., healthcare providers like the  UK’s National Health Service that routinely need to share information with different organisations who are working with their patients.
  • Trusted Execution Environments (“TEEs”) – this is a secure area inside a computing device’s central processing unit. It allows a code to be run and data to be assessed whilst isolating that data from the rest of the system. For example, biometric data on users can be kept separate from non-secure apps and only be used for an agreed purpose e.g., unlocking a user’s phone.

How can PETs be used in a GDPR compliant way?

PETs are not risk free and the Guidance recommends consideration of the following:

  1. undertaking a Data Protection Impact Assessment (“DPIA”) to evaluate whether the use of PETs is appropriate to an organization’s needs. The assessment should take into account the nature, scope, and purposes of processing, as well as the maturity and cost of the PET.
  2. the scalability and complexity of a PET.
  3. the protections the PETs provide and its robustness against attacks and data leakage.

What can we expect from this field in the future?

The Guidance shows that PETs are here to stay – as is regulator’s interest in regulating them. To that end, the ICO presented its work on PETs during the 2022 roundtable of G7 data protection and privacy authorities which took place in Bonn, Germany on 7 – 8 September. The G7 data protection authorities agreed that PETs have great potential but emphasized that regulators, governments and industry must consider them further in the coming months. It will be interesting to see how standards, laws and guidance develop as this multi-party dialogue continues.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Subhalakshmi Kumar

London

skumar@sidley.com

Eleanor Oates

London

eoates@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.