Go to content

Multi-Party Computation and privacy law: what to take into account when sharing sensitive data

Published 8 November 2023

RSS Feed

This article was placed on: CoE-DSC

On Wednesday the 11th of October, the Centre of Excellence for Data Sharing and Cloud (CoE-DSC) together with National Innovation Centre Privacy Enhancing Technologies (NICPET) organised an event about Privacy Enhancing Technologies (PETs). In the first presentation, a recently published whitepaper on the legal acceptability and impact of using PETs in practice was explained and discussed in detail. In the second presentation, the project team of the CoE-DSC shared insights about the Governance Framework for MPC/Federated AI data partnerships, which has been developed together with participant Linksight. We will share the key insights with you.

Secure Multi-Party Computation and privacy law

Tim Gillhaus and Maxime Hanhart from Pels Rijcken put the use of Multi-Party Computation (MPC) in data collaborations in relation to privacy laws (e.g., GDPR) and explained what should be taken into account when sharing sensitive health data. MPC allows parties to collaborate on data through conducting computations, but without exposing the data itself. In many public organisations, however, there is uncertainty about the legal permissibility of the use of MPC.

Legal experts from Pels Rijcken’s Information, Privacy & Technology team and technical experts from Linksight and TNO explored the technical and legal aspects of MPC deployment to eliminate existing legal uncertainties as much as possible.

The following steps should be considered when you want to share sensitive data, since they may affect the deployment of MPC:

  1. Determine whether the GDPR applies (or other sector specific legislation. For example, the police have to adhere to the Police Data Act). The safest option is to assume that the GDPR applies.
  2. Determine who is responsible for processing (owner of the data) and the processor.
  3. Determine whether processing operations comply with Article 6 of the GDPR and sectoral legislation.
  4. Establish whether special or criminal personal data are processed.
  5. Determine whether the processing operations comply with Article 22 of the GDPR.
  6. Take appropriate technical and organisational security measures.
  7. Determine whether processing operations comply with general principles of good governance.

Regarding number 2, the one responsible for processing must have a so-called basis (in Dutch ‘grondslag’), or statistical research exception. Article 89 of the GDPR requires that you build in safeguards so that people cannot access the underlying data and that the outcome is not directly traceable to a person. With MPC, you can more quickly invoke the statistical research exception, because you meet the strict conditions of this exception. If you meet this, the other advantage is that you can also process special or criminal personal data. This leaves the question of whether there is a duty of confidentiality on that data. If there is enough pseudonymisation, which happens with MPC discussed in the whitepaper, then you may override the secrecy exception for statistical purposes. For example, you can dive into excess mortality rates without breaking medical confidentiality. This statistical scientific research exception is fundamental for the realisation of MPC’s value potential.

These are the most important benefits of MPC:

  • The data owner has control over his data: You have control. A large part of the data does not need to be shared with others anymore.
  • The risk of a privacy breach is reduced: Thanks to MPC, data is shared in a confidential manner, without other parties involved gaining access to the data.
  • Legal obstacles are removed in certain cases by modifications of the foundations of MPC: For example the selection of input data and – in a more general sense – the specific usage of MPC (e.g., secret sharing instead of decentralised homomorphic encryption). These modifications may be relevant to the question of whether: a certain further processing is in accordance with Article 6(4) of the GDPR; it violates a duty of secrecy; it complies with the data minimisation principle; and whether that further processing involves the processing of special or criminal data, in which case a so-called processing ban applies.

Their top tip? At the start of MPC implementation, make sure you consider the legal aspects, in conjunction with the technical aspects. And make sure technical and legal experts collaborate. “Test whether you can start with your project, whether it adheres with legal aspects. There is nothing worse than having completed a project and then being told that the entire project should not have started.”

Do you want to learn more about the legal aspects of MPC?

Download the whitepaper

Het bericht Multi-Party Computation and privacy law: what to take into account when sharing sensitive data verscheen eerst op Centre of Excellence for Data Sharing & Cloud.

Interesting for you

News

White paper: Guidance for successful data space de...

16 April 2024

Joining forces at a national level to have an infl...

15 April 2024

The benefits of combining data spaces and Privacy ...

3 April 2024
See all the news

Pages

Centre of Excellence for Data Sharing and Cloud (C...

24 March 2022

Agenda

Currently there are no events or meetings planned for this topic.

See all the events
  • Privacy overview
  • Necessary cookies
  • Third-party cookies
  • Additional cookies
  • Privacy and cookies

This website uses functional, analytical and tracking cookies to improve the website

Strictly Necessary Cookies must be enabled at all times so that we can save your preferences for cookie settings.

This website uses Google Analytics and Hotjar to collect anonymous information, such as the number of visitors to the site and the most popular pages.

Keeping this cookie enabled allows us to improve our website.

This website uses the following additional cookies/services:

Read more about our cookies