We gebruiken cookies om u de beste ervaring op onze website te bieden. U kunt meer informatie vinden over welke cookies we gebruiken of deze uitschakelen in de instellingen. - Bekijk cookie instellingen

Ga naar inhoud

Multi-Party Computation and privacy law: what to take into account when sharing sensitive data

Gepubliceerd op 8 november 2023

RSS Feed

Dit artikel is geplaatst op: CoE-DSC

On Wednesday the 11th of October, the Centre of Excellence for Data Sharing and Cloud (CoE-DSC) together with National Innovation Centre Privacy Enhancing Technologies (NICPET) organised an event about Privacy Enhancing Technologies (PETs). In the first presentation, a recently published whitepaper on the legal acceptability and impact of using PETs in practice was explained and discussed in detail. In the second presentation, the project team of the CoE-DSC shared insights about the Governance Framework for MPC/Federated AI data partnerships, which has been developed together with participant Linksight. We will share the key insights with you.

Secure Multi-Party Computation and privacy law

Tim Gillhaus and Maxime Hanhart from Pels Rijcken put the use of Multi-Party Computation (MPC) in data collaborations in relation to privacy laws (e.g., GDPR) and explained what should be taken into account when sharing sensitive health data. MPC allows parties to collaborate on data through conducting computations, but without exposing the data itself. In many public organisations, however, there is uncertainty about the legal permissibility of the use of MPC.

Legal experts from Pels Rijcken’s Information, Privacy & Technology team and technical experts from Linksight and TNO explored the technical and legal aspects of MPC deployment to eliminate existing legal uncertainties as much as possible.

The following steps should be considered when you want to share sensitive data, since they may affect the deployment of MPC:

  1. Determine whether the GDPR applies (or other sector specific legislation. For example, the police have to adhere to the Police Data Act). The safest option is to assume that the GDPR applies.
  2. Determine who is responsible for processing (owner of the data) and the processor.
  3. Determine whether processing operations comply with Article 6 of the GDPR and sectoral legislation.
  4. Establish whether special or criminal personal data are processed.
  5. Determine whether the processing operations comply with Article 22 of the GDPR.
  6. Take appropriate technical and organisational security measures.
  7. Determine whether processing operations comply with general principles of good governance.

Regarding number 2, the one responsible for processing must have a so-called basis (in Dutch ‘grondslag’), or statistical research exception. Article 89 of the GDPR requires that you build in safeguards so that people cannot access the underlying data and that the outcome is not directly traceable to a person. With MPC, you can more quickly invoke the statistical research exception, because you meet the strict conditions of this exception. If you meet this, the other advantage is that you can also process special or criminal personal data. This leaves the question of whether there is a duty of confidentiality on that data. If there is enough pseudonymisation, which happens with MPC discussed in the whitepaper, then you may override the secrecy exception for statistical purposes. For example, you can dive into excess mortality rates without breaking medical confidentiality. This statistical scientific research exception is fundamental for the realisation of MPC’s value potential.

These are the most important benefits of MPC:

  • The data owner has control over his data: You have control. A large part of the data does not need to be shared with others anymore.
  • The risk of a privacy breach is reduced: Thanks to MPC, data is shared in a confidential manner, without other parties involved gaining access to the data.
  • Legal obstacles are removed in certain cases by modifications of the foundations of MPC: For example the selection of input data and – in a more general sense – the specific usage of MPC (e.g., secret sharing instead of decentralised homomorphic encryption). These modifications may be relevant to the question of whether: a certain further processing is in accordance with Article 6(4) of the GDPR; it violates a duty of secrecy; it complies with the data minimisation principle; and whether that further processing involves the processing of special or criminal data, in which case a so-called processing ban applies.

Their top tip? At the start of MPC implementation, make sure you consider the legal aspects, in conjunction with the technical aspects. And make sure technical and legal experts collaborate. “Test whether you can start with your project, whether it adheres with legal aspects. There is nothing worse than having completed a project and then being told that the entire project should not have started.”

Do you want to learn more about the legal aspects of MPC?

Download the whitepaper

Het bericht Multi-Party Computation and privacy law: what to take into account when sharing sensitive data verscheen eerst op Centre of Excellence for Data Sharing & Cloud.

Ook interessant voor u


Kids First, towards a pedagogical sport climate

16 mei 2024

The European Digital Identity regulation and the b...

13 mei 2024

Paul Havinga overleden

10 mei 2024
Bekijk al het nieuws



Crafting the Dutch Trust Tech Landscape

5 juni 2024

FIWARE Global Summit

18 september 2024
Bekijk alle evenementen
  • Privacy overzicht
  • Noodzakelijke cookies
  • Cookies van derden
  • Aanvullende cookies
  • Privacy en cookies

Deze website maakt gebruik van functionele-, analytische- en tracking-cookies om de website te verbeteren.

Strikt Noodzakelijke Cookies moet te allen tijde worden ingeschakeld, zodat wij uw voorkeuren voor cookie-instellingen kunnen opslaan.

Deze website gebruikt Google Analytics, Hotjar en Facebook pixel om anonieme informatie te verzamelen, zoals het aantal bezoekers van de site en de meest populaire pagina's.

Door deze cookie ingeschakeld te houden, kunnen we onze website verbeteren.

Deze website gebruikt de volgende aanvullende cookies/services:

Meer over onze cookies