Privacy, regulations and cross-border data sharing in finance
Dr. Kurt Rohloff, co-founder and CTO of Duality Technologies, discusses the value and inherent risks associated with data sharing on a global scale.
Data is of the utmost value in our modern economy, and for financials, there is a tremendous potential upside to driving insights from data both locally and globally. Whether in clouds, on-premise, or in hybrid scenarios, what is clear is that as our data footprint continues to grow and so does the need to apply proper strategies to ensure a defensive security posture that offers protection without compromising value.
Collaborating on data enables data owners to share information, run analyses, and perform queries to look for indicative patterns in large data that may be hard to detect in smaller datasets. Today, strategic sharing has helped law enforcement to protect citizens from terrorism, fraud, and drug crimes by identifying individuals who are exhibiting indicators of dangerous behaviour, as well as preempt money laundering and financial fraud.
Although data sharing is immensely valuable for the insights and knowledge that can be derived, it could also bring risks when privacy and regulations are not ingrained in the data sharing strategy. Financial data is highly sensitive, must be kept incredibly private and should be shared with rigorous controls.
How privacy enhancing technologies (PETs) can help
To balance the value from sharing data against the absolute need to protect data and privacy, technological solutions such as privacy enhancing technologies (PETs) provide the best of both worlds. PETs are critical collaboration tools for highly valuable data in general – and for the growth of the modern international economy.
However, the use of PETs needs to be standardised and regulated by government and industry to ensure that they meet standards for citizens’ privacy. To date, there are no universal legal regulations for privacy and financial need to work with individual governments to negotiate and better understand how their user data could be stored, transferred, and used. In fact, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy – and each nation’s policy is unique.
A new transatlantic data transfer pact
There is a long history of attempts for the US and European Union joint regulations of data privacy protections that span the breadth of various state and federal US protections and the EU and national European protections, such as the General Data Protection Regulation (GDPR).
The EU has generally been highly protective of its citizens’ data, thus driving improvements between transatlantic data sharing and privacy agreements. The Privacy Shield Framework was put in place to provide guidelines for transatlantic data sharing, but it was invalidated in the Schrems II judgement.
On March 25, 2022, the US and EU announced that a new transatlantic data transfer pact – Trans-Atlantic Data Privacy Framework – had been agreed to, replacing Privacy Shield. The US and EU have agreed to enhance the Privacy Shield Framework to enable transatlantic data flows, with comprehensive privacy and security protections.
The new agreement includes:
- Safe, compliant, free data flows between the US and participating EU countries.
- Rules, checks, and safeguards to limit US law enforcement and intelligence access only to that data which is critical for protecting national security.
- A two-tier redress system to address claims from EU citizens that their data was unlawfully accessed by US authorities, including the creation of a Data Protection Review Court.
- Requirements for US companies to participate in adhering to the new regulations via self-verification, with oversight from the US Department of Commerce.
- Monitoring and review mechanisms.
In this context, some of the standardisation issues can be addressed with PETs. PETs can and do provide a secure mechanism for data sharing by enabling institutions to share encrypted insights, instead of directly sharing personal data. This achieves an ethical balance between information sharing and privacy protection – similar to the professed goal of the Trans-Atlantic Data Privacy Framework itself.
Data sharing has evolved significantly post-Covid. With new regulations, advances in technology and the additions of key roles like chief data, privacy and/or compliance officers, within enterprise organisations that are responsible for how to strategically support data initiatives – the tide is turning in a positive direction and I am thrilled to see that at a minimum, data regulations are being addressed at a local level, but am excited to be a part of the shift to a more universal approach in the coming years.
By Dr. Kurt Rohloff, co-founder and CTO of Duality Technologies
About the author
Dr. Kurt Rohloff is the co-founder and CTO of Duality Technologies. He is also a co-founder of the Palisade and OpenFHE open-source homomorphic encryption software libraries and has led defence industry consortia developing these leading open-source libraries.
He is a co-founder and steering committee member of the HomomorphicEncryption.org industry consortium that promotes the adoption of privacy technologies. He is the recipient of a DARPA Director’s Fellowship.
Duality is the leader in privacy enhanced secure data collaboration, empowering organisations worldwide to maximise the value of their data without compromising on privacy or regulatory compliance.
For more information view Duality’s on-demand webinar: Privacy protection in cross-border information sharing