Cybernetica designs a privacy-preserving multi-party computation solution for EUROSTAT

Cybernetica has successfully completed the JOCONDE project for Eurostat, the statistical authority of the European Union.

The project has delivered a complete analysis and specification of a system that, once deployed, will enable statistical organisations and their partners to jointly compute statistical results from confidential data without requiring access to each other’s data. Furthermore, the project has demonstrated the feasibility of the proposed concept through a small-scale prototype implementation.

JOCONDE, short for Joint On-demand COmputation with No Data Exchange, addresses one important challenge in modern official statistics: how to produce richer, timelier, and more granular statistical products by combining data from multiple organisations, from the same or different countries, when those organisations cannot or anyway do not intend to share their confidential data, neither with each other nor with other third parties.

The system specifications developed in the project rely on the combination of two mature privacy-enhancing technologies: Secure Multiparty Computation (MPC) and Trusted Execution Environments (TEE).

Together, they ensure that input data remains encrypted and inaccessible throughout the entire computation process, i.e., not only during storage and transfer but also during the processing stage. The final result from a pre-defined statistical method is the only output any party receives.

“For this project, Cybernetica brought together over 20 years of cryptographic engineering experience with our systems, legal and governance teams to create the most comprehensive privacy-preserving statistics platform,” explained Dan Bogdanov, Chief Science and Innovation Officer at Cybernetica. “We are thankful to Eurostat for the opportunity to create this new capability for Europe!”

Why it matters

Statistical offices across Europe face growing pressure to integrate multiple data sources in the statistical production process, to meet the demand for better and more timely official statistics. In addition to traditional statistical data and administrative data, statistical organisations are seeking to integrate also data held by private data holders.

Under traditional data-sharing models, this requires each data holder to transmit raw confidential data to another party, e.g., the statistical organisation itself or another trusted third party. In some scenarios this approach is impractical or outright unfeasible due to trust barriers, legal compliance obstacles, information security risks or lack of public acceptance.

JOCONDE eliminates the need for that exchange. Through a combination of advanced technologies and organisational control, the JOCONDE system would allow multiple organisations to take part in a joint computation task while keeping full control over their respective data.

The project has also addressed the legal dimension directly. The JOCONDE concept has been mapped against EU data protection law (GDPR and EUDPR) and the applicable cybersecurity regulation.

The legal analysis has concluded that the system supports compliance to data protection by providing a privacy-by-design platform where a combination of extremely advanced technical measures complement and enforce organisational measures and contractual obligations. The resulting level of security and protection is extremely high.

Built by and for statistical organisations

A key design principle of JOCONDE is reusability. Rather than a bespoke solution for a single use case, the system will implement a Multiparty Secure Private Computation-as-a-Service (MPSPCaaS) model – a shared, reusable infrastructure that, once onboarded, statistical authorities can use across multiple computation tasks and partnerships. This will avoid the cost of designing, building and deploying custom solutions for every new project.

“This project demonstrates the importance that the members of the European Statistical System (ESS) give to the protection of privacy and data confidentiality,” said Fabio Ricciato, Project Manager for the JOCONDE project at Eurostat.

“We envision a system that enables the production of new multisource statistics without requiring the transfer of intelligible data to other organizations."

The project has demonstrated the feasibility of such a system based on current technologies, and has delivered a detailed set of specifications based on which the production system can be built in future projects.

At the heart of the system is a collaborative data governance layer that allows the involved actors to specify jointly, for each computation task, what information will be extracted from the data and to whom it will be delivered. The combination of MPC and TEE technologies prevents internal or external attackers to ‘see’ the data and execute computation tasks that have not received explicit approval by all the involved actors. In this way, each data provider remains in full control of their data.”

The project, carried out for Eurostat under European Commission service contract ESTAT 2023.0400, ran from April 2024 to March 2026 and produced seven deliverables covering usage scenarios and system requirements, technology analysis, legal analysis, governance frameworks, system architecture, a small-scale demonstration prototype, and a trust-building plan.

All project deliverables are publicly available on Eurostat's CROS portal.