At first glance, the latest and continuing development of data and AI regulations and frameworks seems to be at odds with both innovators and established enterprises. It’s easy to feel this way when reviewing the growing number of general and cross-border data protection regulations strengthening and emerging around the globe – they’re undeniably restrictive. But a closer look reveals a surprising truth: they’re paving the path to a new way of using and sharing data; a more efficient, secure, and valuable way.
Regulators like the UK ICO and Singapore’s IMDA have raised the bar with their practical guidance and insightful case studies. These works delve into real-world scenarios, showcasing how cutting-edge technologies can be implemented to protect data while in-use, providing a critical solution to complete defense-in-depth strategies while maximizing data value. They demonstrate that compliance doesn’t have to be a burden; it can be an opportunity to unlock new levels of innovation and efficiency. In short, the regulators and public sector are innovating for us, showing that the conflict between data safety and data-driven growth is a matter of technology rather than a law of nature.
The Old Way: A Trade-off Between Speed and Security
Traditionally, organizations struggle to balance the need for speed with the demands of data security and privacy. Process-driven workflows, while necessary for compliance, often slow down organizational agility. Worse, they can distort valuable data insights through anonymization and pseudonymization techniques. Such processes often degrade data quality due to the data redaction, limitations like the inability to link to other data sets, and the time lag in generating answers and insights from hard-to-access data. While synthetic data holds promise, it does not replace real data when model accuracy and overall efficacy is paramount.
The New Way: Unlocking Value with Privacy-Enhancing Technologies (PETs)
The emergence of Privacy-Enhancing Technologies (PETs) is changing the game, which is why regulators have gone above and beyond to show us how and why to use them. These technologies allow organizations to process and analyze sensitive data without compromising data or model protections, enabling them to:
- Extract valuable insights from data without exposing individuals: Techniques like Fully Homomorphic Encryption (FHE) allow computations to be performed on encrypted data, ensuring that sensitive information remains protected throughout the entire process.
- Collaborate securely with external partners: Trusted Execution Environments (TEEs) provide secure enclaves for data processing, enabling organizations to share data and collaborate on AI projects without fear of unauthorized access.
- Comply with cross-border data regulations: PETs can facilitate secure and compliant data transfers across borders, enabling organizations to operate in a globalized economy without running afoul of complex regulations. Such data flows are critical for the global economy and for advancing specific issues like public health and combating internationally run cybercrime organizations.
Real-World Examples: PETs in Action
Several case studies highlight the practical applications of PETs:
- Public Sector use of FHE: Government agencies depend upon leveraging CAI/PAI as well as data from allies and individual, private organizations. But maintaining OpSec while doing so often requires costly and lengthy processes, like “haystacking”. With FHE, agencies are accelerating and improving mission outcomes while reducing high-security infrastructure costs by 90%, all by eliminating reliance on data centralization combined with advanced encryption.
- NIST AI & DOD VAULTIS Frameworks: These frameworks specifically name privacy-protecting technologies as core requirements for ‘Secure and Trustworthy AI’. These requirements don’t conflict with, but support the goals of agencies like the DOD, to improve the speed and scale of data.
- Mastercard FHE Cross-Border Case Study – IMDA: This study demonstrates how FHE can be used to enable cross-border data flows for financial transactions while preserving privacy: including UK, India, Singapore, US. The result is that internal data use has transformed from lengthy requests and coordination, to a one time setup that allows for self-service question and answer and analysis.
- TEE Machine Learning Case Study – IMDA: This study explores the use of TEEs to facilitate secure data sharing and collaboration in a trusted environment for ML model training. While the promise is there, the case study was based on raw TEE infrastructure technology and the conclusion is that for practical adoption, a software layer (like Duality) is required to reduce the complexity and time in integrating TEEs into workflows, supporting various workloads, and incorporating critical governance controls and reporting.
- UK ICO ‘PETs Guide’ 2023: This guide features a case study involving Duality Technologies that showcases the potential of FHE to unlock valuable insights from sensitive data while maintaining privacy.
- Machine Learning with TEE + Federated Learning in Cancer: The Dana Farber Cancer Institute proved that not only was the accuracy of training on encrypted data equal with data in the clear, but reduced time-to-insights from 8-10hrs to 1-2 minutes, a near 900% increase in data efficiency by shifting to data protection guardrails from the checkpoints of old. In addition, the “plug and play” nature of the software solution removes much of the objections faced when seeking data partnerships with care facilities and other research groups.
The Future of Data and AI: A New Era of Innovation and Trust
These examples illustrate how PETs can help organizations navigate the complex landscape of data privacy regulations while unlocking the full potential of their data. By embracing these technologies, businesses can:
- Accelerate innovation: PETs enable organizations to analyze and utilize sensitive data without the constraints of traditional privacy protection methods, fostering faster innovation cycles.
- Enhance security: PETs provide robust security measures that protect sensitive data from unauthorized access and cyber threats.
- Build trust: By demonstrating a commitment to data privacy, organizations can build trust with customers, partners, and regulators with technical guarantees rather than promises and trust in incidental access.
A Call to Action: Embrace the Opportunity
The evolving regulatory landscape may seem daunting, but it also presents a unique opportunity for organizations to reimagine their approach to data and AI. By embracing PETs and adopting a proactive approach to data privacy, businesses can not only comply with regulations but also unlock new levels of innovation, efficiency, and trust.
This is not a time to shy away from regulation; it’s a time to embrace it as a catalyst for positive change. By working together, innovators, established enterprises, and regulators can create a future where data and AI are used responsibly, ethically, and for the benefit of all.
Join us on December 17th, wherein we’ll have a panel of experts (UK ICO, Mastercard, US Whitehouse) to discuss the new way of handling data and why private and public organizations should be paying attention.