Emerging Privacy Enhancing Technologies: A Summary of the OECD 2023 PET Report
The Organisation for Economic Co-operation and Development (OECD) published a report on privacy enhancing technologies (PETs) on 8 March 2023. The report, which forms part of the OECD’s Digital Economy Papers series, examines technological developments, evaluates different PETs, and analyses the regulatory and policy frameworks. We’ve summarised the key findings from the 51-page report in this article.
What are Privacy-Enhancing Technologies?
In the broadest sense, a privacy-enhancing technology could be any one of many diverse technical methods or approaches taken to protect the privacy of personal information. In its simplest form, this could be the simple use of tape to mask a webcam, while complex cryptographic techniques exist at the other end of the spectrum.
The OECD’s Take on PETs
Privacy-enhancing technologies (PETs) can be categorized into four groups:
- data obfuscation,
- encrypted data processing,
- federated and distributed analytics, and
- data accountability tools.
Here’s a quick summary of each category of PET:
- Data obfuscation tools alter data by adding noise or removing identifying details to enhance privacy. Examples include zero-knowledge proofs (ZKP), differential privacy, synthetic data, and anonymisation and pseudonymisation tools.
- Encrypted data processing tools allow data to remain encrypted during processing, reducing the need for decryption before use. Examples include homomorphic encryption, multi-party computation including private set intersection, as well as trusted execution environments.
- Federated and distributed analytics enable tasks to be executed by users who do not have direct access to the data.
- Data accountability tools focus on data control and enforcement of access rules. Examples include accountable systems, threshold secret sharing, and personal data stores.
Key Takeaways from the OECD’s PET Report
The Value of Privacy-Enhancing Technologies
The OECD outlines that the value of PETs as being most easily perceived in terms of creating win-win privacy scenarios. The report notes that PETs facilitate increases in both utility of data and privacy protections in the research and development context.
It gives the following examples of social good achieved using PETs:
- Managing pandemics by using PETs for building models which can predict metrics such as rate of infection, rate of hospitalization, etc;
- Facilitating ESG [environmental, social, and governance] reporting which often requires commercially sensitive data that could be kept confidential by use of PETs; and
- Prevention of financial crimes by using PETs for cross-border data flow.
An Updated Definition of Privacy Enhancing Technology
The OECD proposed an updated working definition of privacy enhancing technologies in section two of its reporting:
“For this report, PETs are understood as a collection of digital technologies, approaches and tools that permit data processing and analysis while protecting the confidentiality, and in some cases also the integrity and availability, of the data and thus the privacy of the data subjects and commercial interests of data controllers.”
The report also goes on to outline what PETs are not. Specifically, it notes that PETs are not stand-alone tools. Instead, they’re ‘ingredients’ that can be combined to achieve certain outcomes.
The Maturity, Challenges, and Obstacles of Major PETS
Two of the goals outlined in the report are:
- Broadening the current understanding of PETs (via a non-technical introduction); and
- Taking stock of technological, policy, and regulatory developments relating to PETs – and considering the opportunities and challenges of the different types of PETs.
To this end, the OECD provided a table (pictured below) that summarises their key findings relating to the four categories of PETs.
PETs are Maturing, Legal Policies and Data Governance Need to Mature Too
The OECD report notes that the need for training and awareness about PETs is going to increase as the technologies mature. Given the high potential for better privacy outcomes and win-win scenarios, the increasing maturity of PETs should warrant a re-evaluation of how they might be applied to data processing.
“PET should not be regarded as “silver bullet” solutions. They cannot substitute legal frameworks but operate within them, so that their applications will need to be combined with legally binding and enforceable obligations to protect privacy and data protection rights.”
PETs in the Australian Context
The OECD report takes stock of existing legal frameworks relating to PETs. With regards to Australia, it notes that “Australian Privacy Principle (APP) 11 requires entities covered by the Privacy Act 1988 to take reasonable steps to protect personal information from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.” It goes on to state that there are no specific requirements outlined about PETs other than that they must meet the APP 11 standards if implemented.
It goes on to conclude that policymakers and privacy enforcement agencies will need to increase their consideration of PETs in the future.
Organisational Privacy Maturity with Privacy 108
Wherever you are on your organisation’s privacy maturity journey, we can provide the advice and support you need to implement and operationalise your privacy program.