During the Dutch Privacy Awards ceremony, Nicpet received the incentive award—a recognition of its efforts to make privacy-enhancing technologies (PETs) more widely applicable and accessible in the Netherlands. That award prompted this conversation with Freek Bomhof. As a data scientist at TNO, where he focuses on Responsible AI and Data Sharing, and as chair of Nicpet's core team, he finds himself at the intersection of technological innovation, public values, and practical application. In this interview, he reflects on the significance of the award, the role of Nicpet as a community of practice, and the ambitions to structurally embed privacy protection in the Dutch data landscape.
The incentive award is exactly that: an incentive. Promoting the adoption of PETs can sometimes be a difficult process. Based on its experiences, Nicpet has made a number of choices regarding its approach and focus, partly because funding is changing. This incentive is a clear signal that it is good that an organization such as Nicpet exists.
The public parties involved in Nicpet are users and can therefore stimulate market demand. In a number of cases, they are also involved in shaping legislation and policy, which gives them influence. But they cannot do this alone: interaction with private providers is essential in order to know what is possible in practice. Private users are a separate target group that has received less explicit attention to date. They face largely the same challenges as public users and can therefore learn a lot from each other. Thanks to the increasingly close cooperation that Nicpet is striving for with the CoE-DSC (Center of Excellence Data Sharing & Cloud), private users are also coming more into focus.
In fact, every application of PETs in the public sector is a good example, because in almost all cases the public value of 'privacy protection' was an important reason. In applications in the security domain, the public value of 'confidentiality' is also important. However, it is true that PETs are often used in specific cases, when the nature of the issue is such that it would be almost impossible to resolve it in a responsible manner without PETs.
A very good example of a structural application of PETs can be found at the RINIS Foundation. They provide large-scale data exchange in the social domain on behalf of a number of implementing organizations. In doing so, they looked at their current portfolio and asked themselves: "Would this exchange still pass muster under the current circumstances?" They have actually redesigned those exchanges that could indeed be improved, but this time using PETs. Because this concerns data from the social domain, it goes without saying that this can be very privacy-sensitive. A clear public value, in other words!
Unfortunately, PETs are still very often used as a 'point solution': one specific data processing task is so sensitive that it is better to use PETs to perform it. This means that each time, a new approach has to be devised for how to set it up. This usually has less to do with the technology and more to do with the legal, ethical, and practical preconditions. Even though every situation is different, making these designs more repeatable can significantly simplify the introduction of PETs.
A good example is the use of synthetic data. This is a specific type of PET in which data is 'recreated' and can be used to test systems or train end users, or for research by third parties. In some cases, the protection of synthetic data is not 100% effective; there is a small residual risk. How do you measure that risk, and what level of risk is still acceptable for the application? If such an assessment method can be standardized, it will be much easier to implement this solution, because a lot of the thinking work will not have to be done again.
Nicpet's mission is (unfortunately) far from complete: namely, to simplify the application of PETs (in the public sector) by providing sufficient knowledge and experience. So we will continue to do this in various ways: by continuing to collect and share best practices, creating materials that fill knowledge gaps, gathering relevant background knowledge, and monitoring technical developments.
One direction that Nicpet will focus on more is also reflected in the increased collaboration with the aforementioned CoE-DSC: if PETs can be built into data platforms as a kind of 'standard option', it will be much easier to use them. Then you no longer have individual point solutions, but you only need to flip a single switch, so to speak. A Data Space or a Federative Data System in which this is possible would be a really big step forward. The Netherlands would suddenly have a much more structured way of handling sensitive data, and it would also suddenly have a unique export product.
