Multi-Party Computation and privacy law: what to take into account when sharing sensitive data

On Wednesday the 11th of October, the Centre of Excellence for Data Sharing and Cloud (CoE-DSC) together with National Innovation Centre Privacy Enhancing Technologies (NICPET) organised an event about Privacy Enhancing Technologies (PETs). In the first presentation, a recently published whitepaper on the legal acceptability and impact of using PETs in practice was explained and discussed in detail. In the second presentation, the project team of the CoE-DSC shared insights about the Governance Framework for MPC/Federated AI data partnerships, which has been developed together with participant Linksight. We will share the key insights with you.

Secure Multi-Party Computation and privacy law

Tim Gillhaus and Maxime Hanhart from Pels Rijcken put the use of Multi-Party Computation (MPC) in data collaborations in relation to privacy laws (e.g., GDPR) and explained what should be taken into account when sharing sensitive health data. MPC allows parties to collaborate on data through conducting computations, but without exposing the data itself. In many public organisations, however, there is uncertainty about the legal permissibility of the use of MPC.

Legal experts from Pels Rijcken’s Information, Privacy & Technology team and technical experts from Linksight and TNO explored the technical and legal aspects of MPC deployment to eliminate existing legal uncertainties as much as possible.

The following steps should be considered when you want to share sensitive data, since they may affect the deployment of MPC:

1. Determine whether the GDPR applies (or other sector specific legislation. For example, the police have to adhere to the Police Data Act). The safest option is to assume that the GDPR applies.
2. Determine who is responsible for processing (owner of the data) and the processor.
3. Determine whether processing operations comply with Article 6 of the GDPR and sectoral legislation.
4. Establish whether special or criminal personal data are processed.
5. Determine whether the processing operations comply with Article 22 of the GDPR.
6. Take appropriate technical and organisational security measures.
7. Determine whether processing operations comply with general principles of good governance.

Regarding number 2, the one responsible for processing must have a so-called basis (in Dutch ‘grondslag’), or statistical research exception. Article 89 of the GDPR requires that you build in safeguards so that people cannot access the underlying data and that the outcome is not directly traceable to a person. With MPC, you can more quickly invoke the statistical research exception, because you meet the strict conditions of this exception. If you meet this, the other advantage is that you can also process special or criminal personal data. This leaves the question of whether there is a duty of confidentiality on that data. If there is enough pseudonymisation, which happens with MPC discussed in the whitepaper, then you may override the secrecy exception for statistical purposes. For example, you can dive into excess mortality rates without breaking medical confidentiality. This statistical scientific research exception is fundamental for the realisation of MPC’s value potential.

These are the most important benefits of MPC:

• The data owner has control over his data: You have control. A large part of the data does not need to be shared with others anymore.
• The risk of a privacy breach is reduced: Thanks to MPC, data is shared in a confidential manner, without other parties involved gaining access to the data.
• Legal obstacles are removed in certain cases by modifications of the foundations of MPC: For example the selection of input data and – in a more general sense – the specific usage of MPC (e.g., secret sharing instead of decentralised homomorphic encryption). These modifications may be relevant to the question of whether: a certain further processing is in accordance with Article 6(4) of the GDPR; it violates a duty of secrecy; it complies with the data minimisation principle; and whether that further processing involves the processing of special or criminal data, in which case a so-called processing ban applies.

Their top tip? At the start of MPC implementation, make sure you consider the legal aspects, in conjunction with the technical aspects. And make sure technical and legal experts collaborate. “Test whether you can start with your project, whether it adheres with legal aspects. There is nothing worse than having completed a project and then being told that the entire project should not have started.”

Do you want to learn more about the legal aspects of MPC?

Download the whitepaper

Het bericht Multi-Party Computation and privacy law: what to take into account when sharing sensitive data verscheen eerst op Centre of Excellence for Data Sharing & Cloud.