The Netherlands has a strong starting position in the field of privacy-friendly data sharing, but is not yet able to translate this lead into widespread application. This is evident from the report The road to secure data sharing – A study into the adoption of PETs in the Netherlands, commissioned by the Ministry of Economic Affairs. The conclusion is striking: the technology is there, the knowledge is there, but the large-scale breakthrough has yet to happen.
The study shows that the Netherlands is well positioned internationally in the development of Privacy Enhancing Technologies (PETs). Universities such as TU Delft, TU Eindhoven, and CWI have a strong reputation in cryptography and secure data processing. A vibrant ecosystem of startups and scale-ups has emerged around these knowledge institutions, including Roseman Labs, Linksight, Syntho, and Bluegen.AI, which apply technologies such as secure multi-party computation (MPC), federated learning, and synthetic data.
The government is also playing an active role, with initiatives such as NICPET and the Center of Excellence for Data Sharing & Cloud. Working applications can now be found in sectors such as healthcare, financial services, and cybersecurity. Nevertheless, the use of PETs remains limited to specific domains and pioneers.
It is noteworthy that the technology itself is not the biggest barrier. PETs are technically mature and enable data to be analyzed without revealing underlying personal data or sensitive business information. They reduce the risk of data breaches and help organizations comply with regulations such as the GDPR.
According to the report, the real bottlenecks lie elsewhere: in governance, legal uncertainty, cost sharing, and trust between parties. Many organizations view PETs as legally complex and are reluctant to adopt them for fear of liability or reputational damage. In addition, there is often no clear business case: the party investing in the technology is not always the one that directly benefits from the returns.
The study identifies four crucial preconditions for successful adoption: a positive business case, good data quality, a clear legal basis, and mutual trust between collaborating parties. If one of these elements is missing, implementation will stall almost immediately.
An illustrative example is the approach to healthcare fraud, whereby health insurers, banks, and regulators could jointly detect fraud via MPC without seeing each other's data. Technically, this proved feasible, but diverging interests, legal reluctance, and limited financial incentives for some parties prevented further upscaling.
The report makes a clear call to the government to play a more active role as a purchaser of PET solutions. Not only as a financier of research, but specifically as a launching customer in concrete applications. In addition, it recommends that subsidies be focused more on upscaling and proof-of-value processes rather than exclusively on research.
It has also been suggested that a "regulatory sandbox" be trialed, in which organizations can test PETs under the supervision of regulators within a controlled legal environment.
The core message of the report is clear: PETs are not a silver bullet that will solve all data sharing problems, but they do offer a powerful tool for responsible and secure collaboration with data. The Netherlands has the knowledge, the companies, and the policy focus to be an international leader in this field.
The question now is whether this strong starting position will be converted into large-scale application. Without targeted action, the Netherlands risks losing its lead—not due to a lack of technology, but because of organizational and administrative reluctance.
