DP News – Week 37. Time to adopt PETs: ICO has issued a draft guidance for privacy enhancing technologies.
The UK’s ICO has released the Chapter 5 of the “Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance” dedicated to privacy enhancing technologies (PETs).
While the EU/UK GDPR does not provide any legal definition of PETs, ICO in its guidance explains that PETs “are technologies that embody fundamental data protection principles by minimising personal data use, maximising data security, and empowering individuals”.
Adoption of PETs is clearly a way for data controllers to demonstrate they comply with the rules of “data protection by design and by default”, thus also meeting the accountability principle. In general, ICO explains that PETs help “achieve compliance with the data protection principles, particularly data minimisation, purpose limitation and security”.
ICO distinguishes between three types of PETs:
(i) reducing the identifiability (e.g., differential privacy, synthetic data);
(ii) focusing of hiding and shielding the data (e.g., homomorphic encryption, zero-knowledge proof);
(iii) splitting or controlling access to personal data (e.g., federated learning, trusted execution environment, etc.).
Importantly, PETs do not necessarily ensure anonymisation of personal data. Some of them do, others do not, while third ones may take some part in the whole anonymisation process.
ICO provides an in-depth explanation of the nature of specific PETs they identified in the draft guidance.
It goes without saying that PETs should not be adopted and implemented blindly, i.e., a case-by-case assessment is required, taking into account specific processing operations. A sufficient level of expertise is required within the organisation to ensure PETs are implemented properly. In addition, effective organisational measures should be put in place to ensure that the implementation of PETs is not undermined.