David Lehr: Bridging the Gap Between Technology and Policy through Open Loop

At the 2024 Eyes-Off Data Summit, David Lehr Privacy Policy Manager at Meta, introduced the company’s Open Loop initiative, which focuses on bridging the gap between privacy-enhancing technologies (PETs) and practical policy-making. Lehr highlighted how Open Loop helps governments, tech companies, and experts test prototype data privacy policies to see what works in real-world settings.

Throughout his presentation, Lehr emphasised the importance of collaboration between technology providers and regulators, ensuring that privacy practices are effective, legally compliant, and feasible for companies to implement.

The Open Loop Initiative: Testing and Prototyping Data Policies

Lehr introduced Meta’s Open Loop program, an initiative designed to test prototype policies—such as draft laws and regulations—before they are implemented. The program works with governments, tech companies, and experts to identify what policies are effective, what needs adjustment, and how to better align them with real-world data processing needs.

Through dialogues with stakeholders in Brazil and Uruguay, Open Loop sought to understand how privacy-enhancing technologies (PETs) could be applied in real-world scenarios. By bridging technology and policy, the initiative ensures that the resulting policies are both practical and theoretically sound.

Lehr emphasised, “We want to test these policies to figure out what works and translate that into actionable policy recommendations.”

The PETs Playbook: A Framework for Risk Reduction

One of the key outputs of the Open Loop initiative was the development of the PETs Playbook, a comprehensive document designed to guide companies in understanding PETs, how they mitigate privacy risks, and how they can be implemented. 

The Playbook was created with feedback from 19 companies, 16 experts, and six observer institutions, including NGOs and regulatory bodies in Brazil and Uruguay, to ensure it covered both technical and legal aspects.

The PETs Playbook is a tool to help companies apply PETs to real-world scenarios by breaking down the process into a three-step framework:

Step 1: Assess Privacy Risks

The first step is identifying potential privacy risks within the data processing context. This involves understanding how personal data is collected, processed, and shared, and recognising vulnerabilities where privacy may be compromised. 

By assessing these risks, organisations can determine the type and magnitude of threats they face, which informs the strategies and PETs to be used in mitigating these risks.

Step 2. Identify Risk-Reducing Strategies

Choose strategies to mitigate identified risks. These strategies are based on privacy-by-design principles and can be categorised into:

• Data-Oriented Strategies: Minimise, separate, aggregate, or hide data to reduce exposure and safeguard privacy.
  
  

• Organisation/Process-Oriented Strategies: Ensure transparency, control, and accountability in data processing, such as informing users and enforcing compliance policies.

Step 3: Select Relevant PETs

Based on the risk-reducing strategies chosen, select specific PETs to implement these strategies. For instance, use encryption to hide data, or differential privacy to minimise re-identification risks. This step involves tailoring PETs to the context to ensure both privacy and data utility are preserved.

According to Lehr, many companies, particularly smaller ones, found the PETs Playbook invaluable for expanding their understanding of privacy-enhancing technologies and their role in protecting user data. 

Challenges Companies Face in Implementing PETs

While the PETs Playbook offered companies a framework for understanding and deploying PETs, many organisations face significant hurdles when it comes to actual implementation—especially at scale. These challenges can be split into two categories: technical and regulatory.

Technical Barriers

One of the biggest issues companies reported was the lack of necessary resources, such as data infrastructure, technical expertise, and computational power, to effectively deploy PETs. 

They often require advanced infrastructure and specialised employees to execute correctly, which can be a burden on less-resourced organisations.

Further, companies voiced concerns about the feasibility of using PETs in their day-to-day operations. For instance, the new techniques often require significant computing resources, and there is a steep learning curve for companies not already familiar with these approaches.

Regulatory Uncertainty

Beyond the technical challenges, companies also face uncertainty around the regulatory environment. The issue is that many organisations don’t fully understand how their use of PETs aligns with existing data protection laws like GDPR. 

For example, companies can struggle with the concept of anonymisation and being able to assess how far they must go to ensure data is truly anonymised and what legal liabilities they might still face even after deploying PETs.

This uncertainty can discourage companies from fully adopting privacy-enhancing technologies because they are unsure whether their implementations will hold up under regulatory scrutiny. Additionally, companies worry about the cost of hiring legal teams to navigate these murky waters, further complicating PET adoption.

The Path Forward

During the fireside chat with Sharon Ayalde of OpenDP, Lehr outlined several policy recommendations and solutions that could help overcome these barriers and foster the wider adoption of PETs.

1. Incentives for PET Adoption

Lehr argued that regulatory bodies should provide clearer incentives for companies to adopt PETs. Given the high costs and complexity of implementing these technologies, particularly for smaller businesses, governments could offer financial incentives, tax breaks, or grants to support PETs adoption.

Moreover, he suggested that clearer regulatory guidance is needed to help companies understand when and how to deploy PETs to meet legal standards. For instance, policies that provide more precise definitions of anonymisation thresholds could help companies navigate the grey areas of data protection law.

2. Multi-Stakeholder Collaboration

As companies, governments, and regulators all work to address privacy challenges, open dialogues are essential to ensure that best practices and standards are aligned. Lehr emphasised that ongoing conversations between tech firms, regulators, and standard-setting bodies could facilitate more effective PET implementation across industries.

The Open Loop initiative has already made significant progress in this regard by bringing together a range of stakeholders to discuss PETs and policy-making. Lehr noted that companies in both Brazil and Uruguay were eager for these discussions to continue, seeing them as critical to understanding how PETs es can be effectively integrated into their operations.

3. Education and Research Investment

Lehr also underscored the importance of investing in education and research around PETs. He highlighted that smaller companies often lack the resources and expertise to implement privacy-enhancing technologies, which is why investing in educational programs and open-source PET tools is crucial.

In addition, Lehr advocated for direct government funding of research and development into PETs, noting that this would lower the barrier to entry for smaller companies that might otherwise struggle to adopt these technologies. Initiatives like the US-UK PET prize challenge are examples of how governments can support innovation in this area.

Key Takeaways from David Lehr’s Presentation

• Open Loop: An experimental governance program designed to test policies before they are officially implemented, providing actionable recommendations for PET adoption.
  
  

• PETs Playbook: A guide for understanding and implementing privacy-enhancing technologies, structured around a three-step process: assessing risks, identifying strategies, and choosing relevant PETs.
  
  

• Implementation Challenges: Companies face both technical (infrastructure, expertise) and regulatory (legal uncertainty) hurdles in adopting PETs at scale.
  
  

• Policy Recommendations: Financial incentives, clearer regulatory guidance, and open dialogues between stakeholders are essential for promoting PET adoption.
  
  

• Collaboration: Multi-stakeholder collaboration, particularly between tech companies and regulators, is crucial for developing effective privacy standards.

For more detailed insights from Lehr’s talk, you can watch the full recording on our YouTube channel. 

The Future of PETs Lies in Collaboration

David Lehr’s presentation underscored a key message: the future of PET adoption depends on collaboration between technology companies, regulators, and governments. Initiatives like Open Loop will play a vital role in ensuring that privacy-enhancing technologies are both technically feasible and legally sound.

By addressing the challenges that companies face—whether through financial incentives, clearer regulations, or multi-stakeholder dialogue—there is hope that PETs will become a more integral part of data processing in the years to come. 

Through ongoing education, investment, and collaboration, Lehr believes that organisations will be better equipped to meet the privacy demands of today’s digital world.

For more insights from the Eyes-Off Data Summit, explore our detailed recaps of Day 1 and Day 2 to dive deeper into the expert discussions. To safeguard your organisation's data, reach out to us today.