The Regulatory Whirlwind: The Role of Technology in Responding – and getting ahead of – Regulatory Change

The world of technology and regulation is fast-moving and ever-evolving. Multiple stakeholders impact specific regulations and how they are enforced, even within a single jurisdiction or industry. This leads to challenges we hear about repeatedly from the public and private sectors alike, largely falling into a few categories:

• The law preceded technology. This manifests itself with questions like “What does GDPR say about [privacy technology X] and anonymization?”
• Issues and ambiguity in regulatory interpretation. If regulators provide guidance that isn’t directly in line with how regulations are written (even if the guidance makes sense), regulated entities will be less likely to apply such guidance for fear of legal repercussions.
• Clarity among regulated entities. This manifests itself when different regulated entities interpret and implement a law differently from one another.
• Harmonization. This manifests itself when regulators themselves are misaligned – for example, when a privacy regulator is not aligned with a financial regulator.

For these reasons, Duality regularly engages with regulators, legislators, and supervised entities to identify and clarify mutual challenges and blockers, as well as how cutting-edge technologies can support compliance requirements while driving business value. A great example of this is a recent engagement initiated by the ICO, the UK’s privacy regulator, which published a public call for views on anonymization, pseudonymization, and privacy enhancing technologies. Not only did Duality submit a response, but we co-developed a case study with the ICO to demonstrate how privacy technologies can be implemented to support GDPR- designed exactly to address the points above.

The ICO is a leader in the wave of regulatory, judicial, and legal action on privacy, AI, collaboration, and how data is used. Some additional examples are:

• Completed March 2023: The UK-US PETs Prize Challenges, designed to drive innovation around PETs
• March 2023: The White House National Cybersecurity Strategy, which seeks to establish public/private collaborations and the use of post-quantum encryption
• April 2023: The European General Court’s decision that the same data that is pseudonymized to one party may be anonymized to another. Although not necessarily a landmark case, this is certainly a major reinforcing point of how GDPR should be understood and a perfect fit for privacy technology (more on that later)
• June 2023: The Department of Finance in Canada’s recently released consultation on money laundering, which has a chapter devoted solely to information sharing across the public and private sectors
• In progress: Changes in UK GDPR to enable additional / clearer legal bases for sharing data and collaborating
• In progress: Amendments being made to Singapore’s Financial Services and Markets Act, to enable financial crime collaboration
• In progress: The EU’s AI Act, which is a move to regulate artificial intelligence and the data it can use based on the different applications a model can support 
• In Progress: Singapore’s Infocomm Media Development Authority’s PET Sandbox, which provides a “safe space” to test out PETs and use cases they support
• In Progress: Reforms to Australia’s Privacy Act 1988, designed to support privacy and digital innovation

Why is this happening at such an accelerated pace, all around the world?

The truth is that collaboration and data privacy have been the direction of travel for years. Interestingly, the Covid pandemic helped bring this intersection of privacy and collaboration to the forefront, and even further accelerate it. The Pandemic made it glaringly and painfully obvious how more agile collaboration across health agencies and jurisdictions could have produced a different outcome, but also made the practical challenges around this clear, given the sensitivity of healthcare data.

To further hammer home the point, we can look outside of healthcare to a very different world – the criminal one. The fact is that money launderers, fraudsters, and other criminals exploit gaps in collaboration across financial institutions and jurisdictions to perpetrate their crimes. Financial institutions and law enforcement are fighting with one hand tied behind their backs because privacy laws, which are justifiably there to protect the law-abiding public, also have a negative impact in terms of restricting how financial crime fighters can work together by sometimes offering a shield for criminals as well.
It is because of this impasse – the need to analyze sensitive data collaboratively, and the need to protect privacy, security, and intellectual property – that an intersection between this wave of legal changes and technology emerges. There are now technologies available, called “privacy enhancing technologies”, that enable collaboration while complying with data privacy and security obligations (and indeed do so in accordance with the EU Court’s latest decision, which correctly explains that the same data may be pseudonymized to one party and anonymized to another, which has impacts to what type of data can be processed and by whom). These technologies are at the point of maturity that they are ready for production use, understood by regulators, and are, in fact, offering benefits today. Some examples are below:

• The UK’s ICO published a case study about Duality on how law enforcement agencies and financial institutions could collaborate more closely to fight financial crimes while still supporting GDPR
• Israel’s Tel Aviv Sourasky Medical Center announced a partnership with Duality around collaborating with researchers and pharmaceutical companies on “real world data” to help drive better patient and clinical outcomes.
• Law enforcement agencies are able to query commercially available datasets while protecting privacy – without moving data or revealing the subjects of investigations – yielding both more efficient investigations as well as demonstrating to the public their commitment to trust, security, and privacy

The bottom line is that today, it’s not enough to simply rely on governance and controls to enable compliance. The world of data, and the value of it, is growing. The way we use data is changing every day (who could have imagined tools like Chat-GPT just last year, and the implications to data privacy and “collaborative AI”?). Regulations are trying to keep up. This means mature organizations aren’t simply responding, but are being proactive – preparing for new methods to analyze data and new ways to protect it – to future-proof their compliance function and their business. Technology has always been a business enabler, and the point is made even finer now – what good is your data, and what good are your models, if you can’t access it while still ensuring compliance? What good is having a business ecosystem of partners and suppliers if you can’t seamlessly share insights without fearing fines? This is exactly where privacy enhancing technologies fit in, and why any mature and responsible organization should be evaluating them immediately. And if you don’t believe us, maybe take it from the UK’s Information Commissioner, who “is recommending organisations to start using PETs to share people’s personal information safely, securely and anonymously [because…] PETs enable safe data sharing and allow organisations to make the best use of the personal data they hold, driving innovation.”

Join our webinar on Jul 26th to hear directly from data privacy, security, and regulation experts and the challenges and opportunities they see in fields such as life sciences and financial crimes.

Helpful information? Follow us on Linkedin.

Ronen Cohen