Blog Digital Economy – PETs

PETs (Privacy-enhancing technologies) are becoming more well-known these last few months. They might be the key to a more efficient privacy strategy for businesses. Many authorities recommend their adoption and development.

What are PETs?

PETs are defined by the European Union Agency for Cybersecurity as “Software and hardware solutions, i.e. systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect once morest risks of privacy of an individual or a group of natural persons”. The Information Commissioner’s Office, UK’s Data Protection Authority, recently released a guideline document on PETs[1]. PETs are classified into three types in the guideline: PETs that derive or generate information that reduces or removes people’s identifiability, PETs that focus on hiding, or shielding, data, and PETs that split datasets. PETs help companies with data protection principles such as privacy by default and by design or the data minimization principle. They are part of the technical and organizational measures that companies must put in place if they process personal data, especially sensitive data. In the guideline, they’re recommended particularly for processing that involves large-scale collection of personal data or that results in high risks to data subjects. For example, the guideline recommends them for processing involving artificial intelligence, machine learning, and deep learning applications. A Data Protection Impact Assessment is necessary to correctly choose which PET to put into place and what impact it might have on processing.

The G7 Data Protection Authorities

The G7 Data Protection Authorities held their third roundtable in June in Tokyo, Japan. They issued an Action Plan at the end of the roundtable that recommends the use of PETs. Authorities have dedicated four points of this Action Plan specifically to PETs and their development. One point of this Action Plan is the development of a terminology reference document regarding key terms and characteristics of PETs. Another point is the encouragement of the adoption and development of PETs. For this, they plan to study one specific PET: synthetic data. Synthetic data is data that imitates the properties and characteristics of real data, but is completely artificial. This type of data is used mostly in health and life sciences research, as it reduces the privacy risks associated with using real personal data. The Action Plan details that through this case study regarding synthetic data, they hope to develop regulatory insights and show that such technology can “help achieve a safe and privacy-enhancing method for obtaining insights from sensitive data”[2].

The Atlantic Declaration

G7 Data Protection Authorities aren’t the only ones interested in PETs and their development. US and UK also showed their interest through the Atlantic Declaration[3]. This declaration is the framework for the economic partnership between the UK and the US that places technology at the forefront of the partnership. It describes the need for the development of PETs for responsible use of data. For this, the UK and the US will launch a Collaboration on PETs. This will allow them to gain insight into the responsible use of AI models and enable economic and societal benefits. The complete effect of PETs on privacy and on business strategies is still not known, but it will be studied and is at the center of attention.

Sources:

[1]

[2]

[3]