History and origins of PETs.

PETs, an acronym for the phrase “Privacy Enhancing Technologies,” constitute a phenomenon that is not new and dates back to the mid-1990s.

In fact, in 1995 the title of a groundbreaking report commissioned by the Information and Privacy Commissioner of Ontario, Canada, and the Dutch Data Protection Authority1 contained the phrase “Privacy-enhancing technologies: the path to anonymity.”

However, the earlier report referred to the software called “Mix networks,” developed by David Chaum2 to realize anonymous and unobservable communications over a network, considering that very product as the first PET.

In the same year 1995, precisely on 23/11/1995, the Directive 95/46/ECon the protection of individuals with regard to the processing of personal data and on the free movement of such data” was published in the Official Journal of the European Communities (now the Official Journal of the European Union), which constituted the first European data protection framework.

It should be noted that the Directive mentioned above contained a reference - albeit not explicit - to anonymization since Whereas(26) stated, “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”.

Furthermore, Article 6(1)(e) of Directive 95/46/EC stated that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed”.

Hence, the provision of a limit on data retention and the obligation to delete data after the time limit expiration, subject to retention only for specific purposes, assumes significance. This concept has been confirmed in EU Regulation 2016/679 (GDPR).

It is just worth pointing out that in Italy, the Privacy Code (Legislative Decree 196/2003), before the amendment made by Legislative Decree 101/2018 that made it compatible with the GDPR, contained a reference to the concept of PET in Article 3 where it read “information systems are configured by minimizing the use of personal data and identification data.” The term “minimizing” recalls precisely the PET approach.

What happened in Europe?

In 2007, the European Commission published “COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on Promoting Data Protection by Privacy Enhancing Technologies (PETs) - COM(2007) 228 final,” which states:

"WHAT ARE PETS? - There are a number of definitions of PETs used by the academic community and by pilot projects on this matter. For instance, according to the EC-funded PISA project, PET stands for a coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system. The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The Commission in its First Report on the implementation of the Data Protection Directive considers that "…the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient level of privacy protection…". The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect them."

In October 2010, the 32nd International Conference of Data Protection and Privacy Commissioners (ICDPPC), held in Jerusalem (Oct. 27-29, 2010), at the proposal of the Ontario Commissioner at the time (Ann Cavoukian), adopted the Privacy by Design Resolution which is a milestone in the historical journey leading to Article 25 of the GDPR.

Thus, the European Commission, unable to ignore the resolution on PbD, published the “COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS - A comprehensive approach on personal data protection in the European Union - COM(2010) 609” dated 4.11.2010.

In this communication, the European Commission, among other things, stated that:

"Promoting the use of Privacy Enhancing Technologies (PETs), as already pointed out in the 2007 Commission Communication on the issue, as well as of the ‘Privacy by Design’ principle could play an important role in this respect, including in ensuring data security."

The note reads:

"The principle of ‘Privacy by Design’ means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This principle features inter alia in the Commission Communication on ‘A Digital Agenda for Europe’ - COM(2010) 245.."

The European Commission could not ignore the PbD theme, so it incorporated it into the European Digital Agenda in 2010.

The PbD theme further developed after the 32nd International Conference of Privacy Commissioners 2010. It was consolidated in the document entitled “Privacy by Design - Strong Privacy Protection - Now, and Well into the Future - A Report on the State of PbD to the 33rd International Conference of Data Protection and Privacy Commissioners” (which also mentions us), presented in 2011 by Ontario’s Commissioner at the time, Ann Cavoukian, to the 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC).

In Europe in 2012 the project to reform the data protection framework was launched, resulting in Regulation 2016/679 (GDPR).

As noted above, the principles of “data protection by design and protection by default” are currently governed by Article 25 of the GDPR, paragraph one (by design) and paragraph two (by default), respectively.

This regulatory provision was an absolute novelty as previously, in European and national legislation, such principles did not exist.

Recent interventions at the international level on PETs.

Has the topic of PETs been abandoned, or has it continued to generate interest?

It is a rhetorical question because what we describe below confirms that interest in Privacy Enhancing Technologies (PETs) has grown over the years and, therefore, has always remained strong.

In fact, in 2022 the White House published a document titled “Advancing a Vision for Privacy-Enhancing Technologies” in which it reads:

"The development of Privacy-Enhancing Technologies, commonly known as “PETs,” can provide a pathway toward this future by leveraging data-driven technologies like artificial intelligence (AI), while preserving privacy."

Finally, in March 2023, the OECD (Organisation for Economic Co-operation and Development - in Italian, Organization for Economic Co-operation and Development - OECD) published a report entitled “Emerging Privacy Enhancing Technologies - current regulatory and policy approaches.”

This report is an updated study on the phenomenon of Privacy Enhancing Technologies to assess their maturity level in the current environment.

For needs of discussion, we will elaborate on this paper in the second part.

PETs and so-called PIMS.

Reasoning by acronyms-which we will explain shortly-the topic of PETs is related to that of PIMS.

In fact, Privacy Enhancing Technologies (PETs) are supposed to be based on “management systems.”

What are we referring to by the acronym PIMS?

This acronym is apt to express two different, though compatible, concepts.

PIMS expresses both of the following definitions:

  1. Personal Information Management Systems”;
  2. Privacy Information Management System”;

Regarding the first one (Personal Information Management Systems), the European Commission (DG CONNECT) on November 23, 2016, published the study - concluded in January 2016 - entitled “An emerging offer of ‘personal information management services’ - Current state of service offers and challenges.”

The focus of this study, following the data-driven economy communication, was on the “concept of user-controlled cloud-based technologies for storage and use of personal data (“personal data spaces”)”. Said document, on the one hand, recalled services such as mydex, myWave, Digi.me, Meeco, Qiy Foundation. On the other, it described open online identity identification systems (open identification), including OAuth, OpenID, OpenID Connect, Kantara UMA16, Universal Authentication Framework, and Universal Second Factor.

Concerning Personal Information Management Systems, the EDPS (European Data Protection Supervisor) has also expressed itself first with the"Opinion 9/2016 on Personal Information Management Systems - Towards more user empowerment in managing and processing personal data" of October 20, 2016, in whose initial summary we read:

"This Opinion explores the concept of technologies and ecosystems aiming at empowering individuals to control the sharing of their personal data (‘personal information management systems’ or ‘PIMS’ for short).."

Subsequently, the EDPS on January 6, 2021, within TechDispatch #3/2020, published the document entitled “Personal Information Management Systems,” by which it describes precisely Personal Information Management Systems (PIMS). Said document begins with the question, “What are Personal Information Management Systems?”

We reproduce below the first part of the EDPS response, which helps provide the necessary essential clarification.

"The PIMS concept offers a new approach in which individuals are the ‘holders’ of their own personal information. PIMS allow individuals to manage their personal data in secure, local or online storage systems and share them when and with whom they choose. Individuals would be able to decide what services can use their data, and what third parties can share them. This allows for a human centric approach to personal data and to new business models, protecting against unlawful tracking and profiling techniques that aim at circumventing key data protection principles.."

Therefore, Personal Information Management Systems enable individuals to have control over their personal data. Specifically, any online service (cloud, archives, vault, blockchain, etc.) or even offline services whose systems allow individuals to have control over their personal data (including authorizing, denying, or revoking consent for third parties to access their personal data) and to manage their online identity. However, the issue of data subjects’ control over their personal data is in Recital(7) of the GDPR.

Regarding, however, the second, Privacy Information Management System reference should be made to the standard ISO/IEC 27701:2019 Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines. Indeed, this document specifies requirements and provides guidance for creating, implementing, maintaining, and continuously improving a privacy information management system.


In conclusion, as is evident, the same acronym PIMS expresses both Personal Information Management Systems and Privacy Information Management System. However, the two domains refer to different but not opposing contexts that could also coexist. The developer of a PET who adopts a personal information management system may also decide to implement a privacy information management system according to ISO/IEC 27701.

We end the first part of this contribution on PETs here, deferring further study to the second part that we will publish shortly.


(A) Image by stockgiu

If this resource was helpful, you could contribute by

Buy me a coffee

Or donate via

Liberapay


Follow us on Mastodon

Stay tuned!


  1. a) Information and Privacy Commissioner, Ontario, Canada and Registratiekamer, The Netherlands. Privacy-enhancing technologies: the path to anonymity, volume 1. Technical report, 1995. b) Information and Privacy Commissioner, Ontario, Canada and Registratiekamer, The Netherlands. Privacy-enhancing technologies: the path to anonymity, volume 2. Technical report, 1995 (both no longer available online in the original version). However, references are available in the report entitled “Privacy by Design An Overview of Privacy Enhancing Technologies” of 26/11/2008. ↩︎

  2. David Chaum published the concept of Mix Networks in 1979 in his article: “Untraceable electronic mail, return addresses, and digital pseudonyms”. ↩︎