On 19 June 2023, the UK Information Commissioner’s Office (the ICO) published guidance on privacy enhancing technologies (or PETs) (the Guidance). The Guidance sits alongside the ICO’s recommendation that organisations should, if they haven’t already, start using PETs to share personal data safely, securely and anonymously.

Structure of the Guidance

The Guidance is split into two parts with the first part (up to page 16) aimed at data protection officers (DPOs) and those with specific data protection responsibilities in large organisations that are using large personal data sets specifically in finance, healthcare, research, and central and local governments. It focuses on how PETs can help achieve data protection compliance but keeps the description of the PETs themselves quite high level.

The second part of the Guidance is geared towards a more technical audience (or DPOs who wish to understand more about the common types of PETs available). It contains a more detailed and technical overview of eight PETs and their risks and benefits in the context of data protection compliance.

What are PETs?

The Guidance clarifies that there is no definition of PETs within data protection law and that the concept covers various technologies and techniques. However, the ICO’s view is that PETs are technologies that embody fundamental data protection principles by: (i) minimising personal data use; (ii) maximising information security; and/or (iii) empowering people.

The Guidance focuses on PETs that organisations (rather than the public) can use and describes some common types of PETs that are available, noting the difference between PETs that provide:

  • input privacy, namely solutions that restrict access by the party carrying out the processing to the inputted personal data and/or restrict access to statistical results arising during processing. The Guidance notes that these solutions can help organisations comply with the security, purpose limitation, storage limitation and data minimisation principles of the UK GDPR; and
  • output privacy, which are solutions that reduce the risk that personal data can be obtained or inferred from the results of the processing activity. The Guidance notes that these solutions can help organisations comply with the storage limitation and the data minimisation principles and are especially helpful when the results on an analysis are shared with large groups of recipients.

The first part of the Guidance briefly summarises the eight PETs that are covered in more detail in the second part of the Guidance and groups them by reference to the features outlined below to help explain how they work. It also notes which PETs might be beneficial to different types of processing activities (including use of AI, machine learning, data matching and data sharing):

The pros and cons of using PETs and considerations around their use

The ICO recommends the use of PETs noting that “these types of technologies open unprecedented opportunities for organisations to harness the power of personal data through innovative and trustworthy applications, by allowing them to share, link and analyse people’s personal information without having access to it”. Specifically, the ICO notes that PETs can help organisations comply with many of the data protection principles set out in the UK GDPR (in particular data minimisation) as well as demonstrate that a “data protection by design and default” approach is taken, whilst also stressing that PETs are not a “silver bullet” for compliance with all data protection principles.

Indeed, as PETs generally involve the processing of personal data, they must be used in compliance with data protection law and the Guidance states that organisations should undertake a data protection impact assessment when deploying PETs to understand how the use of the PET will impact the organisation’s processing.

The Guidance also identifies some common risks and weaknesses associated with the use of PETs (some of which are relevant to only certain types of PETs). These include:

  • the lack of maturity of the technologies;
  • a lack of expertise in their use;
  • mistakes in their implementation that pose security risks;
  • a lack of appropriate organisational measures;
  • scalability issues; and
  • issues around the amount of computational power needed to use PETs.

These risks and weaknesses need to be worked through by organisations considering using PETs. The ICO appears committed to supporting organisations to do this, including by providing specific guidance on how to assess the maturity of a PET and also by collaborating with the Centre for Data Ethics and Innovation (CDEI) to develop a cost-benefit analysis tool for those looking to develop or adopt PETs.

Our take

Data is the lifeblood of the digital economy and organisations’ ability to use, manipulate and analyse it will become ever more important in the context of AI and machine learning. Furthermore, the sharing of data is recognised in the likes of the Data Governance Act, the draft Data Act and many European and UK policy documents as a key requirement in enabling innovation and technological advancement across various sectors. Much of the data concerned is personal data and so technologies that help reduce the privacy risks associated with these uses should be welcomed and encouraged.

The Guidance is helpful in providing an accessible and clear introduction to different types of PETs and will be a useful tool to help DPOs and other privacy professionals be better informed in relation to the increasingly complex data practices and risk assessments that they oversee.