Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights

Sebastian Becker; Christoph Bösch; Benjamin Hettwer; Thomas Hoeren; Merlin Rombach; Sven Trieflinger; Hossein Yalame

Paper 2025/463

Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights

Sebastian Becker, Robert Bosch GmbH, Germany

Christoph Bösch

, Robert Bosch GmbH, Germany

Benjamin Hettwer, Robert Bosch GmbH, Germany

Thomas Hoeren, Institute for Information, Telecommunications and Media Law, Münster, Germany

Merlin Rombach, Institute for Information, Telecommunications and Media Law, Münster, Germany

Sven Trieflinger, Robert Bosch GmbH, Germany

Hossein Yalame

, Robert Bosch GmbH, Germany

Abstract

This paper examines the deployment of Multi-Party Computation (MPC) in corporate data processing environments, focusing on its legal and technical implications under the European Union’s General Data Protection Regulation (GDPR). By combining expertise in cryptography and legal analysis, we address critical questions necessary for assessing the suitability of MPC for real-world applications. Our legal evaluation explores the conditions under which MPC qualifies as an anonymizing approach under GDPR, emphasizing the architectural requirements, such as the distribution of control among compute parties, to minimize re-identification risks effectively. The assertions put forth in the legal opinion are validated by two distinct assessments conducted independently. We systematically answer key regulatory questions, demonstrating that a structured legal assessment is indispensable for organizations aiming to adopt MPC while ensuring compliance with privacy laws. In addition, we complement this analysis with a practical implementation of privacy-preserving analytics using Carbyne Stack, a cloud-native open-source platform for scalable MPC applications, which integrates the MP-SPDZ framework as its backend. We benchmark SQL queries under various security models to evaluate scalability and efficiency.

Note: This paper presents the results of a publicly funded research project in which Bosch contributed the technical use case and Prof. Hoeren from ITM, Münster contributed the legal assessment. Note that the presented technical solution is not implemented at Bosch and that the legal assessment is an independent academic study and shall not be construed as an official position or endorsement by Robert Bosch GmbH.

Metadata

Available format(s): PDF
Category: Foundations
Publication info: Preprint.
Keywords: Multi-Party Computation GDPR Compliance Data Anonymization Privacy-Preserving Analytics
Contact author(s): Sebastian Becker @ de bosch com
Christoph Boesch @ de bosch com
Benjamin Hettwer @ de bosch com
hoeren @ uni-muenster de
merlin rombach @ uni-muenster de
Sven Trieflinger @ de bosch com
Hossein Yalame @ de bosch com
History: 2025-03-12: approved; 2025-03-12: received; See all versions
Short URL: https://ia.cr/2025/463
License: CC BY

BibTeX

@misc{cryptoeprint:2025/463,
      author = {Sebastian Becker and Christoph Bösch and Benjamin Hettwer and Thomas Hoeren and Merlin Rombach and Sven Trieflinger and Hossein Yalame},
      title = {Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/463},
      year = {2025},
      url = {https://eprint.iacr.org/2025/463}
}