Important legal aspects when applying Multi-Party Computation in the public domain

Secure Multi-Party Computation (MPC) is a technology that facilitates data analysis applications in a privacy-friendly manner. MPC enables parties to perform calculations with the data of a party, without one party’s data becoming known to the other party. As a result, parties can make their data available for joint analysis without sharing their actual data.

The public domain has expressed a desire to use MPC. However, many public organisations are uncertain about the legal acceptability of using MPC. Among other things, public organisations wonder how the deployment of MPC relates to the requirements of privacy law. In particular, the question often arises to what extent the deployment of MPC can contribute to the lawfulness of using personal data collected for a specific purpose for other purposes (so-called “multiple use”). Both data protection legislation, such as the General Data Protection Regulation (GDPR), and sector-specific laws provide rules on multiple use of data. For example, the General Act on State Taxes (Algemene Wet inzake Rijksbelastingen, AWR) has duty to keep silent and the Participation Act (Participatiewet, Pw) contains a strict purpose limitation.

In the white paper below, legal experts from Pels Rijcken’s Innovation, Privacy & Technology (IP&T) team, with support from technical experts from Linksight and TNO, explore the legal aspects (in relation to the technical aspects) of deploying MPC, based on two specific forms of application. In doing so, it also addresses the question whether, and if so, what legal requirements may affect the deployment of MPC. This white paper aims to reduce legal uncertainty existing among public organisations and was created on behalf of the Gaia-X hub the Netherlands, now part of the Centre of Excellence for Data Sharing & Cloud.