EU and U.S. Policymakers Emphasize Privacy-Enhancing Technologies as a Shared Priority in 2021

EU and U.S. Policymakers Emphasize Privacy-Enhancing Technologies as a Shared Priority in 2021

Authors:

Only two months into the year, 2021 has already laid a solid foundation of legislative and regulatory support for privacy-enhancing technologies.

In Europe, the European Data Protection Board (EDPB)—which oversees the enforcement of the General Data Protection Regulation (GDPR)—and the European Union Agency for Cybersecurity (ENISA) have published technical guidance supporting Secure Multi-Party Computation as a valid privacy-preserving safeguard. In the United States, lawmakers in the U.S. House and Senate have introduced Promoting Digital Privacy Technologies Act (S.224, 117th Congress), “to support research on privacy-enhancing technologies and promote responsible data use.”

A global push for a more technical approach to privacy is an important turning point for data protection. Cryptographic privacy-enhancing technologies like Secure Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE) are key to information sharing for the public good, without compromising the value of individual privacy.

What’s causing this unified support for privacy-enhancing technologies? Short answer: this is a critical time in history for data-driven innovation to thrive.

Learning from the past mistakes of Big Tech and government data breaches, it is now an incontrovertible fact that privacy is foundational to sustainable innovation—and regulators are on board. This blog surveys recent regulatory support for privacy-enhancing technologies, specifically MPC, and how policymakers are emphasizing decentralized analytics powered by cryptographic privacy protocols.

EUROPEAN DATA PROTECTION BOARD (EDPB)

The judicial invalidation of the EU-U.S. Privacy Shield in the Schrems II decision led the European Data Protection Board (EDPB) to clarify what organizational and technical measures are necessary for a valid cross-border transfer from the European Economic Area.

The Court of Justice of the European Union (CJEU) and the EDPB both emphasize that contractual tools alone may not be sufficient to transfer data between the EU and U.S. in compliance with the GDPR. Schrems II undoubtedly raised the bar for GDPR compliance, making it more difficult for companies to obtain and process EU data.

To balance the heightened standards with the legitimate need for data-driven collaboration, the EDPB published a recommendation for “split or multi-party processing” in its November 2020 guidance on ‘measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.’

Inpher participated as a stakeholder in the public consultation of the draft EDPB Guidance and expressed support for the agency’s acknowledgment of MPC as a critical safeguard for privacy-preserving collaboration. We also published a deep-dive opinion editorial piece on the JURIST entitled ‘Post-Schrems II, Privacy-Enhancing Technologies for Cross-Border Data Transfers’ to examine the policy implications of increased regulatory support of cryptographic privacy-enhancing technologies.

EUROPEAN UNION AGENCY FOR CYBERSECURITY (ENISA)

On January 28, 2021, the European Union Agency for Cybersecurity (ENISA) published a ‘Technical Analysis of Cybersecurity Measures in Data Protection and Privacy’ examining privacy-preserving cryptographic protocols. ENISA is an agency tasked with harmonizing a “high common level of cybersecurity across Europe,” and is empowered by the European Union’s Cybersecurity Act of 2019 to set technical standards and policies that guide the EU cybersecurity certification framework.

The ENISA Technical Guidance identifies MPC as an advanced technical solution for complex data-sharing scenarios, particularly applicable to industry use cases in healthcare and cybersecurity. ENISA recommends organizations to engage in routine “security and data protection risk assessments” to determine if the scope and context of the data processing present risks that should be mitigated with a cryptographic privacy-enhancing protocol.

Chapter 3 of the ENISA Guidance discusses ‘Secure Multi-Party Computation and Secret Sharing Schemes’ as an advanced solution to mitigate privacy risks. MPC can facilitate ‘private set intersection’ to meet “personal data protection requirements in several cases which necessitate comparison of two different lists from two different data controllers without revealing anything else than their common entries.” (ENISA Guidance 2021 at page 24).

Inpher has worked with multinational financial institutions to safeguard personal data powered by MPC and private set intersection protocols. Applying this advanced technique to commercial application in trade matching, MPC solutions can enable financial institutions to effectively find trading partners in over-the-counter (OTC) markets through private matching—through which no unnecessary trade positions are leaked to the broader market. Inpher’s case study on ‘Double-Blind Trade Matching’ is a sophisticated use case that illustrates the ENISA Guidance in a high-frequency computing environment.

Part II of this blog series on the privacy risks of Federated Learning will discuss this solution in more technical detail.

U.S. SENATE BILL ‘PROMOTING DIGITAL PRIVACY TECHNOLOGIES ACT’ (S.224)

The new Biden-Harris administration has heralded hope for meaningful federal privacy reform in the United States. One of the first strides of this effort is marked by the Promoting Digital Privacy Technologies Act (S. 224), introduced by a bipartisan group of U.S. lawmakers to “codify support for data anonymization tools, confidentiality-enabling algorithms and other privacy-enhancing technologies, or PETs, designed to help secure people’s personal data.”[1]

The bipartisan agreement on this bill is a significant departure from previous Congressional discussions on consumer privacy legislation. Privacy-enhancing technologies can balance the need for privacy and sustainable innovation—a practical resolution that signals a true common ground for Republicans and Democrats.

Senator Fischer (R-NE), one of the Republican sponsors of the bill announced: “The growth of large-scale data analysis is driving innovation in areas ranging from health care to transportation to agriculture. However, we need to ensure that these data collection practices are not putting the private information of Americans at risk. By promoting research into PETs, this bipartisan legislation will help us to make the most out of developments in big data while safeguarding Americans’ right to privacy.”

Democratic co-sponsor Senator Cortez Masto (D-NV) aligns with the policy objective for supporting privacy-enhancing technologies, stating: “We must work to strike a healthy balance between privacy and innovation. This bipartisan, bicameral legislation helps us achieve that goal by researching ways in which privacy-enhancing technologies can complement emerging technologies of the 21st century.”

This bill would empower the National Science Foundation (NSF) to promote research into privacy-enhancing technologies and develop standards for the integration of PETs into public and private sector data uses.[2] In particular, the proposed legislation would enhance support for:

  • technologies for de-identification, pseudonymization, anonymization, or obfuscation of personal data in datasets while maintaining fairness, accuracy, and efficiency;

  • algorithms and other similar mathematical tools used to protect individual privacy when collecting, storing, sharing, or aggregating data; and

  • technologies that promote data minimization principles in data collection, sharing, and analytics.

S.224 defines ‘privacy-enhancing technologies’ as “any software solution, technical processes, or other technological means of enhancing the privacy and confidentiality of an individual’s personal data in data or sets of data.” These measures specifically include “anonymization and pseudonymization techniques, filtering tools, anti-tracking technology, differential privacy tools, synthetic data, and secure multi-party computation.

If passed, this bill would ratify Congressional support for MPC and call on NSF and other federal agencies to partner with public, private, and academic entities to standardize cryptographic privacy-enhancing technologies in both commercial and government applications.

Inpher has been a vocal proponent of MPC in sophisticated information-sharing cases. You can find our detailed support for privacy-enhancing technologies in various private and public sector use cases, including regulatory reporting, credit modeling, public health tracing, investigating financial crimes, and eliminating machine bias can be found here.

CONCLUSION

The COVID-19 pandemic has accelerated the need for better AI, deeper insights, and more connected services. With the growing reliance on data-driven technologies that drive public health tracing, financial crime investigations, and even everyday consumer activities like shopping and managing payments, the demand for privacy-by-design is universally at an all-time high.

Privacy-enhancing technologies need to underpin this unprecedented need for data. Luckily, policymakers on both sides of the Atlantic agree on the importance of this step forward. Inpher is excited to be on the frontlines of this important tidal change for privacy.

To learn more, contact us at [email protected]!