The UK Information Commissioner’s Office (ICO) recently published draft guidance on privacy enhancing technologies (PETs). It forms the fifth chapter of a draft suite of guidance on anonymisation, pseudonymisation and PETs.

PETs are technologies intended to minimise the use of information about individuals, improve the security of data or give individuals greater control over data relating to them.

When deployed correctly PETs can assist an organisation’s compliance with various requirements of UK data protection law, including:

PETs can be particularly helpful in contexts where sensitive data needs to be shared by organisations or where data will be collected or analysed on a large scale (such as in cloud computing services, artificial intelligence or the Internet of Things).

UK data protection law is heavily based on the EU’s GDPR regime, so the draft guidance may also be useful to EU and other international organisations.

Traps for the unwary

The draft guidance emphasises that PETs are not a ‘silver bullet’ for data protection compliance. The general requirements of data protection law continue to apply even if a PET is deployed, so organisations must consider their suitability on a case-by-case basis and watch out for some pitfalls:

The UK’s Centre for Data Ethics and Innovation (CDEI) has also highlighted how the use of PETs may lull organisations into a false sense of security. By itself, implementing a PET will not prevent unethical data gathering or outcomes.

According to the ICO organisations must therefore undertake a case-by-case assessment of whether the PET is suitable in a particular context based on factors such as the nature, scope, purpose and context of the data processing and the maturity of the PET. EU regulators have likewise warned controllers subject to the EU’s GDPR that they must assess whether any PET used is appropriate in the circumstances.

Examples of PETs

The draft guidance gives an overview of several types of PET, together with detailed commentary on when each may be appropriate, standards that apply, how the PET assists with data protection compliance, factors to consider during implementation, and associated risks and weaknesses. These PETs are:

Global relevance and next steps

Regulators, industry and government bodies around the world are showing great interest in PETs and their ability to facilitate more secure, confidential and privacy-compliant use and sharing of data. For example:

The ICO has requested feedback on all chapters of the draft guidance on anonymisation, pseudonymisation and PETs by 31 December 2022.

The ICO is also calling for the development of industry-led governance (eg codes and certification schemes) to encourage appropriate use and development of PETs.