Categories
Pages
-

PADS-Responsible Data Science

Privacy-enhancing Technologies (PET) vs. Non-disclosure Agreements (NDA)

May 21st, 2021 | by

No one doubts that the interest in data science is growing rapidly. More and more companies are using data science and machine learning techniques to extend/accelerate their business. In the following, we provide two plots from two studies showing the growth of data science. Figure 1 is a result of a study by Towards Data Science [1] which shows the general interest in data science and other data-centric techniques by analyzing search interest trends from Google Trends years 2011-2020.

Figure 1: Interest in data-centric techniques over time.

Figure 2 was taken from a study performed by the European Leadership University [2] and shows the interest in data science among software developers by analyzing the Stack Overflow survey data from 2011 to 2018.

Figure 2: Data science community growth among software developers.

While investments in data science and data-centric technologies grow rapidly, the responsible use of data becomes increasingly important and has the attention of consumers, citizens, and policymakers. Responsible Data Science (RDS) considers four main aspects of responsibility that need to be taken into account while analyzing data: fairness, accuracy, confidentiality, and transparency [3]. Here, we focus on the confidentiality/privacy aspect of responsible data science and invite the community to discuss the possible challenges/reasons which are prohibiting the widespread use of technical solutions, e.g., privacy-enhancing technologies (PETs), in practice.

Privacy-enhancing technologies provide data protection by eliminating or minimizing the usage of unnecessary personal data without the loss of the data utility or the functionality of an information system [4]. A non-disclosure agreement (NDA) is a legal contract between different parties that outlines confidential/private material belongs to each party and prohibits someone from sharing such confidential information.

PETs are more focused on technical solutions based on general privacy policies such as GDPR [5]. Moreover, organizations can have their own privacy/confidentiality concerns, and they may develop specific privacy preservation techniques to address such concerns. On the contrary, an NDA is only a legal contract that relies on the power of prosecutions rather than providing technical solutions. Although PETs had a lot of breakthroughs in recent years and strong technical solutions have been introduced, the companies still prefer to follow legal agreements rather than using technical solutions. The question is why technical solutions are not being widely used in practice regardless of the high demand and significant breakthroughs in academia:

  • Are technical solutions still untrustworthy?
  • Are they expensive to develop?
  • Is there a lack of knowledge in companies to understand and develop technical solutions?
  • Is the problem the lack of interpretability of technical solutions?
  • Are there no solid tools to support technical solutions in practice?

Although many other possible reasons could be listed, in many cases one can still consider hybrid solutions to use technical solutions as preventative methods and use legal contracts to cover the potential weaknesses of technical solutions rather than relying on solely legal contracts which do not provide any type of technical guarantees.

What do you think? Which approach is more used in practice? And what is the main reason(s) for not using PETs in practice? You are very welcome to write your thoughts and comments in the comments box below.

 

References:

[1] https://towardsdatascience.com/

[2] https://elu.nl/

[3] van der Aalst W.M.P. (2017) Responsible Data Science: Using Event Data in a “People Friendly” Manner. Enterprise Information Systems. ICEIS 2016. Lecture Notes in Business Information Processing, vol 291. Springer, Cham.

[4] van Blarkom, G. W., Borking, J. J., & Olk, J. E. (2003). Handbook of privacy and privacy-enhancing technologies. Privacy Incorporated Software Agent (PISA) Consortium, The Hague, 198, 14.

[5] https://eur-lex.europa.eu/eli/reg/2016/679/oj

 

Contact:

We encourage experts in (responsible) data/process science to share their thoughts, experiences, and concerns regarding the responsible use of data with the community. You just need to send us your text.

Email: majid.rafiei@pads.rwth-aachen.de

Twitter: @MajidRafiei4

LinkedIn: linkedin.com/in/majid-rafiei-0838509a

 

2 responses to “Privacy-enhancing Technologies (PET) vs. Non-disclosure Agreements (NDA)”

  1. Diego says:

    I believe that there is a lack of knowledge in companies to understand and develop Privacy-enhancing Technologies solutions and the benefits obtained in comparison to the traditional technique of Non-disclosure Agreements (NDA), which transfers the responsibility, from a possible leak of information, to the outside the organization and “has no cost of implementation”.

  2. Andrew Pery says:

    While the concepts of Privacy by Design (https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles/) and the importance of Privacy Enabling Technologies (PETs) have been firmly established as foundational elements for safeguarding privacy rights, as further evidenced in Article 25 of the General Data Protection Regulation (https://gdpr-info.eu/art-25-gdpr/) there remains significant implementation challenges. First, the definition of Privacy Enabling Technologies is somewhat broad and amorphous. This was acknowledged as early as 2016 by the European Union Agency for Network and Information Security (ENISA) in their study: Readiness Analysis for the Adoption and Evolution of Privacy Enhancing Technologies: “Unfortunately, PETs are a fuzzy concept in practice”.
    (https://www.enisa.europa.eu/publications/pets). Privacy Enabling Technologies encompass a wide range of methodologies that span pseudonymization, obfuscation, differential privacy, encryption all of which are designed to manage the confidentiality, integrity and accessibility of personally identifiable information throughout its lifecycle. As such, interoperability and integration of PETs with other enterprise applications may not be trivial activities, which, for many organizations may be prohibitive investments. Second, as per a study by The Royal Society (https://royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/privacy-enhancing-technologies-report.pdf): Protecting privacy in practice: The current use, development and limits of Privacy Enhancing Technologies in data analysis observes: “The field of PETs is rapidly evolving. However, currently, many of the most promising tools, whilst having a rich research heritage, are relatively new to real-world applications. As such there remain a number of important unanswered questions: What are concrete trade-offs in real-world applications? How mature are different PETs? What opportunities do they present and what are their limitations?”.
    There is a need for further standardization and harmonization of Privacy Enhancing Technologies. The General Data Protection Regulation in some ways acknowledges that as Privacy Enhancing Technologies are rapidly evolving it ought to be balanced with “the state of the Art” of such technologies (Recital 78 of GDPR (https://gdpr-info.eu/recitals/no-78/)).

Leave a Reply to Andrew Pery Cancel reply

Your email address will not be published.