Cross-border data approvals that used to take 12+ months just ran in two. That’s the concrete result from the UK-US cancer data pilot the Future of Privacy Forum spotlighted at the Global CBPR Forum Spring Workshop in Lima, Peru.
The session walked through two specific Privacy Enhancing Technologies: trusted execution environments, which let two parties compute over each other’s data without either side seeing raw numbers, and differential privacy, which adds calibrated mathematical noise so individual records can’t be reverse-engineered. The UK-US pilot put both to work so England’s National Disease Registration Service (NDRS) and the US National Cancer Institute (NCI) could study ultra-rare childhood tumors without ever moving patient records across borders. UK data stayed in UK jurisdiction, GDPR overseas transfer rules didn’t apply, and no Transfer Risk Assessment was required.
Here’s the structural shift that matters for your roadmap: PETs don’t just solve a privacy problem, they solve a legal overhead problem. If your product aggregates health, financial, or behavioral data across jurisdictions, you’re building a separate data processing agreement for each corridor. PETs baked into your architecture could collapse that stack. The catch is real: trusted execution environments aren’t weekend projects, and differential privacy tuning requires a statistician who understands epsilon-delta tradeoffs. Watch which compliance frameworks formally recognize PETs as valid transfer mechanisms. The Lima session suggests that’s coming sooner than most founders expect.
The FPF frames PETs as enabling tools, not guarantees. No silver bullet.
— Nathan Zakhary