On 7 September, the ICO published its draft guidance on the use of privacy-enhancing technologies (PETs). The draft forms the latest chapter of the ICO’s new guidance on anonymisation and pseudonymisation which it is publishing in stages as part of its consultation process. The chapter was released to coincide with a roundtable between G7 data protection authorities which took place on the 7-8 September and at which the ICO sought to encourage support for the use of PETs.
The draft guidance will be helpful to organisations considering PETs, as it discusses when one might consider using them and the accompanying risks of doing so.
What are PETs?
‘Privacy enhancing technologies’ refers to technologies and techniques that minimise personal data use and maximise data security. The European Union Agency for Cybersecurity (ENISA) defines them as “software and hardware solutions… to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual…”.
The guidance provides a detailed outline of the types of PETs that exist. This includes: PETs that reduce the identifiability of individuals in a dataset (e.g. differential privacy, which randomly adds ‘noise’ to data to make it harder to reverse-engineer); PETs that hide or shield data (e.g. homomorphic encryption, where data can be used in an encrypted form); and PETs that govern access to the data (e.g. trusted execution environments, which ensures data is accessed on an isolated part of a system).
It also includes a table which helpfully summarises the different types of PETs together with information as to their applications, weaknesses and any relevant standards that may apply.
What does the new guidance cover?
The ICO’s guidance covers a range of issues relating to PETs, including:
- the relevance of PETs to data protection law – PETs can help organisations show a ‘data protection by design and by default’ approach by, for example, demonstrating compliance with data minimisation requirements, contributing to ensuring an adequate level of security, and in minimising the risk associated with data breaches;
- the benefits of PETs – this includes being able to grant access to datasets that normally would be too sensitive to share, and enabling personal data to be shared and analysed without compromising the privacy of the individuals to whom the data relates;
- the interplay between PETs and anonymisation – the guidance explains that PETs mainly exist to enhance privacy and protect personal data as opposed to anonymising it, but that specific PETs can indeed be used as part of anonymising data;
- when to consider using PETs – this will depend on the circumstances, but they should, for example, be considered at the design phase of a project involving the large-scale collection of personal data such as those involving AI applications, IoT, and cloud computing; and
- determining the maturity of a PET – the guidance notes that using Technology Readiness Levels (or ‘TRLs’) attributed to particular PETs is a common approach here. TRLs place PETs into “discrete categories of maturity” (from conceptual to market-ready) and in some cases are combined with qualitative measures, as in ENISA’s PET maturity assessments. The ICO notes that just because new technologies exist, it does not mean an organisation is required to use them to satisfy data protection requirements. For example, certain PETs remain theoretical or impractical to implement at present.
For organisations considering whether or not to use PETs, the guidance helpfully includes sections addressing how to make that determination, and risks associated with their use.
Deciding to use PETs
The guidance encourages organisations to perform a Data Protection Impact Assessment to ascertain if using PETs would be appropriate. This would take into account the nature, scope, purpose, context of and risks posed by an organisation’s processing alongside the cost of implementation and state-of-the-art of various PETs.
The guidance emphasises that the use of PETs is not a ‘silver bullet’ in achieving data protection compliance and that processing must still be lawful, fair and transparent.
The particular risks identified by the ICO are:
1) Lack of maturity. Many PETs are new, which means they may not be scalable, standards for their use may not be developed, or their robustness may not yet have matured. Interestingly, one output from the G7 meeting (mentioned above) was calling on industry to develop the technical standards and certification schemes needed to give organisations confidence that they are using PETs responsibly and in compliance with the law.
2) Lack of expertise. Significant expertise is required to establish and use PETs effectively. The ICO advises organisations to use off-the-shelf services where they do not have that expertise themselves.
3) Mistakes in implementation. The ICO warns that the practical implementation of PETs can carry risks to individuals’ privacy and that attacks and vulnerabilities should be monitored regularly. The guidance notes that: ‘a lack of appropriate organisational measures can lower or even completely undermine the effectiveness of a PET.’
While the ICO makes clear in its guidance that organisations are not required to implement the newest technologies available to meet their data protection obligations, we expect that many companies will want to increase their knowledge of this developing area and to consider whether to design PETs into their processes, to enhance the security and compliance of their data processing.