Is there a role for Privacy Enhancing Technologies (PETs) to play in the context of international data transfers? The answer to this question could be one of the keys to unlock trusted cross-border data flows at scale in the age of AI.
This was the topic explored in a session organized by the Future of Privacy Forum (FPF) during the Global CBPR Forum in Lima, Peru. Bringing together technical, regulatory, policy, and academic perspectives, the session provided an in-depth overview of initiatives centering on PETs in data transfer developments. It included a technical presentation of two of the most promising such technologies available – trusted execution environments and differential privacy, as well as a recent use case from a US-UK policy pilot and a regional perspective on PETs adoption in Latin America.
The session highlighted both the growing maturity of PETs deployments, as well as the structural challenges that continue to shape their adoption. A central takeaway was that PETs are increasingly being positioned as enabling tools for data use and collaboration — particularly in contexts where legal, regulatory, or trust constraints have historically limited data sharing. By illustrating a specific medical use case and their technical features, speakers demonstrated how PETs can support more responsible data ecosystems and trusted data sharing.
Framing PETs: Concept and Policy Momentum
The session, moderated by Gabriela Zanfir-Fortuna, Vice President for Global Privacy at the Future of Privacy Forum (FPF), started with an overview provided by Maria Badillo, Policy Counsel for Global Privacy FPF, situating PETs within the broader policy landscape and emphasizing that they do not have a universally agreed definition. Drawing from recent policy and regulatory framings, PETs are described as a set of emerging techniques — ranging from cryptographic methods to structural data governance solutions — designed with the purpose of enhancing or preserving privacy.
(Image provided by Maria Badillo.)
PETs can strengthen security by reducing the risk of unauthorized access or re-identification, particularly when data moves across jurisdictions. Some PETs like secure multiparty computation (SMPC), federated learning (FL), and trusted execution environments (TEEs) can facilitate cross-border collaboration by allowing multiple parties to work together without fully disclosing underlying datasets. In this sense, PETs can be understood as a “technical layer of trust” that complement existing legal and regulatory mechanisms.
Additionally, regulators and policymakers are increasingly exploring the role PETs play in enabling trusted cross-border data flows. Examples include G7 commitments to advance the “data free flow with trust” initiative through PETs, collaboration initiatives within the Global Privacy Assembly (GPA), and references to these tools in instruments such as the EU-Singapore Digital Trade Agreement and joint guidance on the ASEAN Model Contractual Clauses and the EU Standard Contractual Clauses.
At the same time, PETs are being tested in real-world scenarios. Examples include privacy-preserving fraud detection using homomorphic encryption in the financial sector and regulatory sandboxes led by data protection authorities. Altogether, these initiatives reflect a broader shift from theory to practice, with regulators increasingly interested in understanding how PETs can complement existing frameworks.
From Techniques to Architectures: Combining PETs in Practice
Building on this framing, James Honaker, Founder and Chief Privacy Engineer at OpenDP, provided a technical perspective on PETs, emphasizing how their value can be maximized when used in combination.
First, differential privacy was described as a method that introduces statistical “noise” into datasets to ensure that individual-level information cannot be inferred from aggregate outputs, allowing organizations to extract insights while maintaining privacy guarantees. Importantly, the development of open-source libraries through initiatives like OpenDP has played a critical role in operationalizing differential privacy across use cases.
At the infrastructure layer, Honaker highlighted TEEs, where data is encrypted and processed within a secure enclave. He explained that through attestation mechanisms, TEEs can also provide verifiable guarantees about the code being executed, enabling parties to trust not only the environment, but also the computation.
Generally, PETs can be mapped across three core functions:
- Joining data: techniques such as hashing or fully homomorphic encryption (FHE) that allow datasets from different parties to be linked without revealing identifiers;
- Computing on data: methods such as TEEs, SMPC, and zero-knowledge proofs (ZKPs), which enable joint analysis without exposing raw data;
- Releasing outputs: techniques such as differential privacy, which ensures that the results of computations do not reveal sensitive information.
Finally, ongoing efforts to increase transparency around PETs deployment were highlighted, including a supported registry of real-world systems currently open for feedback. Such initiatives can play an important role in building confidence, standardizing practices, and facilitating knowledge-sharing across stakeholders.
(Image provided by Maria Badillo.)
Unlocking Cross-Border Health Research Through PETs
Rory Munro, Head of International Regulatory Cooperation at the UK Information Commissioner’s Office (ICO), provided insights on how PETs can be deployed to address real-world challenges in sensitive domains, focusing on a UK-US pilot project involving rare childhood cancers.
Countries often lack sufficient cases to generate statistically meaningful insights, making cross-border collaboration essential. However, this is often difficult due to legal constraints, particularly around international data transfer regimes. The pilot addressed this by combining PETs to enable analysis, aiming not to move personal data across borders, using (i) federated querying to run queries locally within each dataset, (ii) TEEs to ensure secure computation, and (iii) differential privacy to share only anonymized, aggregate results.
Since personal data supposedly never left the jurisdiction in which it was collected, the project did not trigger traditional cross-border transfer requirements. However, participants still conducted a data protection impact assessment (DPIA), reflecting their commitment to risk-based governance even in a PET-enabled environment.
Importantly, the pipeline was initially tested using synthetic data, allowing developers to refine the system. This step was critical in reducing implementation risks and building trust among stakeholders. In addition, by effectively increasing the size of the usable dataset, the system reduced the number of inconclusive results and improved consistency of findings, enhancing trust in the outputs.
A Look from Latin America: Potential & Challenges Ahead
Danielle Zaror Miralles, Assistant Law Professor at the University of Chile, underscored that PETs adoption remains sector-specific and uneven. Some PETs have been deployed for finance, telecommunications, and energy —partly driven by regulatory pressures, cross-border operations, and the need to manage large volumes of sensitive data.
Zaror Miralles also noted that PETs, as a concept, are not widely used in the region. Organizations may implement similar solutions under different frameworks, reflecting a lack of understanding on their framing, which in turn make their adoption particularly challenging. Also, most Latin American jurisdictions have only recently begun to incorporate concepts such as privacy by design and risk-based approaches into their frameworks. This means organizations often lack both the incentives and the clarity needed to invest in these tools.
Finally, PETs deployments in the region have been primarily led by corporations with the necessary expertise and resources; however, expanding access to SMEs will require capacity-building and more user-friendly tools. Developing public-private governance frameworks could potentially help align regulatory expectations, foster collaboration, and support the broader adoption of PETs as part of evolving data governance ecosystems.
Looking Ahead
The discussion highlighted a shift in how PETs are understood and applied, particularly within cross-border data transfer scenarios. PETs are increasingly positioned as enablers of data sharing and innovation, with growing relevance across sectors and regulatory domains, especially when data is processed at scale in the age of AI.
At the same time, these tools offer a way to reduce the “opportunity cost” of restrictive data environments by assisting projects that face legal hurdles or risk concerns, especially when sensitive data is involved. This is increasingly relevant in the context of the Global CBPR Forum, where PETs can complement accountability frameworks by supporting privacy-preserving cross-border data transfers.
Overall, the panel underscored that PETs are no longer theoretical tools: they are being actively deployed to support responsible data use while maintaining privacy protections. Unlocking their full potential, however, will require continued alignment between technical capabilities and regulatory frameworks, as well as broader accessibility beyond large organizations.
As these technologies mature, PETs are likely to play a central role not only in protecting data, but in enabling more collaborative, trusted, and scalable data ecosystems globally.
About the Author
Maria Badillo is Policy Counsel on the Future of Privacy Forum’s Global Privacy team, focusing on privacy and data protection developments in Latin America and related global issues. She holds law and privacy credentials from CIDE and Georgetown, and brings experience from the FTC and Mexico’s competition and telecommunications agencies.
