The 2023 Big Trends of Privacy Enhancing Technologies
Privacy Enhancing Technologies (PETs) are gaining significance in the business world due to the increasing concern about data privacy and the regulatory framework. In March 2023, our research director Sabri Skhiri travelled to London to attend the Privacy Enhancing Technologies Summit 2023, that gathered experts to discuss the latest developments in privacy-enhancing technologies and how businesses can benefit from them. In this article, he dives into the significance of PETs, shares his insights, and summarises the main trends from the summit.
Ready? Let's get started!
What Are the PETs ?
Privacy Enhancing Technologies (or PETs) are the set of tools and processes that guarantee privacy within data processing or data exchange. The PETs must be seen as enablers for creating value with data while complying with the law, increasing customer trust, and reducing the risk of data breaches. The main PETs are:
- FHE & encryption
- Differential privacy or anonymisation, and synthetic data generation
- VPN and security measures for “on the fly data” / “data in transit”
- GDPR & data governance: consent management, access management, retention period management, etc.
Note that I will not go into technical details in this article, but feel free to consult my blog post on our research website, where I go deeper into topics like synthetic data, the different types of encryption, or using FHE scheme in deep learning.
Key Considerations for Deploying PETs
This year, the conference highlighted one main learning: deploying a PET requires just a bit of understanding...
- Understanding the value: the value of unlocking business opportunities and business cases, but also the counterfactual value, as the value of not going into a data breach or not having a lawsuit. Interestingly, there was no mention of data value management. The speakers talked a lot about PET and value enablers but not really about putting in place an end-to-end strategy to link data to the value they generate. Yet, this strategy has become the gold standard in the market within the last two years.
- Understanding the regulatory context: the GDPR, the AI Act, the Data Act, the Data Governance Act, the recommendations on data transfer and cross-border data sharing,… even laws in China and the US.
- Understanding the ins and outs of data sharing: What does ‘data sharing’ mean? What is a processor, a controller? What is further processing? Can I share data privately, and If I can, what does that involve? What technical and legal constraints apply?
- Understanding how data governance is involved to ensure that all processes, roles and responsibilities are aligned.
- Understanding the risks: What is a risk in the fields of data usage or data sharing? Is it quantifiable? What proxy measures can be taken to assess the risk? Should I evaluate the risk/benefit balance? Most of the time, understanding the risk also means a deep understanding of the technology.
- Understanding the PETs offers, tradeoffs, pros and cons: FHE, trusted environment, differential security/privacy, synthetic data generation, pseudonymization. What would be the pros and cons between multi-party computation and federated learning?
- Understanding the impact on AI: you should be able to understand what impact the PET you choose will have on your AI models. On the one hand, using synthetic data (created data that mirrors the balance and composition of real data) is good for explainability and fairness. However, its privacy risk is not standard (as you still risk disclosure of real data attributes). On the other hand, encrypting your data is bad for fairness and data cleaning. For instance, can we use deep learning with FHE? Not really. For the moment, it only works on linear computation.
You’ve got the idea: Deploying this kind of tech remains a challenge since it requires a lot of different profiles in the room. Incidentally, a few talks during the conference touched on the subject of putting together a multidisciplinary A-team of experts to tackle this type of project.
One of the other significant trends highlighted at the conference was the need for collaborative computing. Collaborative computing enables organisations to collaborate within an ecosystem to share their data, while not being allowed to see the data from the others. PETs can meet this challenge.
The conference also highlighted the need for regulatory guidance on the use of PETs, especially in complex technologies like synthetic data, differential privacy, and FHE. The regulator cannot leave companies to fend for themselves in the face of such technological complexity. Companies need clear guidelines on evaluating the privacy risk, the use of PETs, and the legal constraints surrounding data sharing and governance.
While companies wait for regulatory guidance, it is essential to find the right balance between technical complexity and liability: demonstrating that you have made an effort without necessarily being at the edge of the tech, but at the same time, trying to avoid breaches.
Finally, the sales pitch is equally important: do not talk about PET nor data governance. Instead, talk about new revenue streams, business strategy, and data strategy. PET/data gov will come naturally from there.
Privacy-enhancing technologies are becoming increasingly important for businesses that handle personal data. Companies must understand the value and risks of deploying PETs, the regulatory context, data sharing, data governance, and the impact on AI models to make the most of this technology. They need to adopt a multidisciplinary approach to find the right PET for their specific use case. Finally, companies can also seek guidance from experts to navigate complex regulatory and technical requirements surrounding PETs. At Euranova, we built a multi-disciplinary squad made of data governance and legal experts to provide advice and support for companies looking to implement PETs, ensuring they get the most out of this technology. Do not hesitate to reach out if you need guidance on this topic.