Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Artificial intelligence depends on data — the more diverse the training data, the more powerful the resulting models. Yet access to such data is increasingly constrained. Privacy regulation, cross-border transfer restrictions and the reputational risks of sharing sensitive information make pooling large datasets difficult.
This is particularly acute in fields such as health care and financial and government services where regulators scrutinize how every byte of data is collected and used. The result is a paradox: Organizations know that robust AI systems require collaborative learning across institutions, but the very design of the black box of training and generative learning combined with laws designed to protect individuals prevent those datasets from being freely exchanged.
How federated learning protects data without centralization
Federated learning emerged as one way out of this paradox. Instead of centralizing raw data, multiple participants each train a local model on their own datasets and then contribute updates to a central aggregator. The aggregator merges those updates into a global model that benefits from all the participants' data without requiring them to directly share it.
Google's use of federated learning to improve predictive text on Android devices is a familiar example. Hospitals and banks have begun experimenting with the approach to capture insights from patient outcomes or transaction patterns without handing sensitive records to a central repository.
But federated learning is not a complete solution. Even if raw data never leaves an institution, the model updates exchanged in the process may still leak private information. Researchers have demonstrated that it is possible to infer sensitive attributes or even reconstruct parts of the training data from those updates. In regulated industries, this raises the question of whether federated learning alone meets the threshold of the state-of-the-art security required under frameworks like the EU General Data Protection Regulation. That is where homomorphic encryption enters the picture.
Computing without exposure
Homomorphic encryption allows computations to be directly performed on encrypted inputs. The key insight is that updates to a machine learning model can be encrypted before transmission, allowing the aggregator to perform the necessary computations without ever needing to decrypt them. The aggregator sees only ciphertext, but the resulting global model, when decrypted by the participants, reflects the combined knowledge of all contributions.
The potential of dual use of federated learning and homomorphic encryption promises a system in which neither raw data nor model updates are ever exposed. For privacy professionals, it represents a level of protection that more closely aligns with regulatory imperatives.
The concept is not merely theoretical. IBM has incorporated homomorphic encryption into its federated learning framework. This demonstrates that hospitals can jointly train diagnostic models without exposing sensitive medical data and that banks can build fraud-detection systems across borders without contravening secrecy laws.
Blockchain ecosystems are built on fully homomorphic encryption, enabling trustless and decentralized ecosystems. AI consortia focused on medical research, financial crime detection, and supply chain security have all identified the pairing of federated learning and homomorphic encryption as an attractive way forward.
Technical challenges
Still, the practical questions loom large. Homomorphic encryption remains computationally expensive. Operations that complete in seconds on plaintext may take hours when encrypted, and ciphertexts balloon in size. Early implementations struggled to support the non-linear functions common in neural networks, requiring researchers to approximate activation functions like sigmoid or rectified linear unit with polynomial alternatives.
More recent schemes have improved efficiency and flexibility. Techniques such as packing multiple values into a single ciphertext have sped up computations. Yet even with these improvements, the performance penalty is significant. Training a large-scale model under full homomorphic encryption remains out of reach for most organizations.
As a result, the technology is currently practical only in high-stakes contexts where the benefits outweigh the costs. A pharmaceutical consortium conducting cross-border drug trials may accept slower training times if it allows them to comply with strict data localization laws. A group of banks working on anti-money laundering models may tolerate the inefficiencies to avoid exposing customer identities to competitors or regulators. National security agencies already invest in the technology for joint intelligence analysis.
These domains show that homomorphic encryption in federated learning is no longer confined to academic papers, but the cost remains prohibitive for routine enterprise AI applications.
Experimental architectures
Blockchain, as a former example, runs entirely on homomorphic encryption; smart contracts excel at providing verifiable execution, but they are notoriously poor at preserving confidentiality. By combining federated learning with homomorphic encryption, blockchain-based AI systems could achieve both verifiability and privacy.
Imagine a decentralized health research platform where hospitals contribute encrypted model updates through smart contracts, with the global model's accuracy verified on-chain but the sensitive patient data never revealed. Or consider supply chain networks where participants train risk-detection models collaboratively, governed by blockchain protocols and protected by homomorphic encryption. These architectures are still experimental, but they highlight the direction in which privacy-preserving AI is moving.
Strategic readiness
For privacy officers, the question is not whether to deploy homomorphic encryption immediately, but how to prepare for its eventual adoption. It is not yet ready to anchor day-to-day compliance functions like consent tracking or human resources analytics. Training times and infrastructure costs make such applications impractical. But it is ready for pilots in environments where privacy risks are high, regulatory constraints are strict, and the volume of data is limited enough to keep training times manageable.
Forward-looking organizations are already setting aside resources to explore proofs of concept — not because the technology is production-ready, but because fluency in its strengths and weaknesses will pay dividends once it matures.
Research and development are proceeding rapidly. Universities remain central, refining the mathematical underpinnings and experimenting with faster schemes. Major technology companies have released open-source libraries, such as Microsoft's SEAL and IBM's HELib, to foster experimentation. Governments are investing through initiatives like the Defense Advanced Research Projects Agency's homomorphic encryption programs in the United States and the European Union's Horizon Europe project.
These actors are best positioned to overcome the performance hurdles, but enterprises should follow closely. The pace of progress in the last five years has been dramatic; it is not unreasonable to expect commercially viable implementations within the next decade.
The regulatory environment also matters. Policymakers are beginning to explicitly reference privacy-enhancing technologies in guidance. The European Data Protection Board has highlighted advanced cryptographic techniques as tools to reconcile data sharing with legal compliance. The U.S. Federal Trade Commission has flagged them as part of reasonable security measures in emerging contexts.
Although no regulations currently mandate the use of homomorphic encryption in federated learning, documenting its consideration or piloted implementation may strengthen an organization's accountability narrative if questions arise.
Building a legal framework for encrypted AI
The conclusion is therefore one of cautious optimism. Homomorphic encryption, when paired with federated learning, offers an unprecedented way to unlock collaborative AI while respecting stringent privacy and regulatory requirements. The technology is not yet efficient enough for widespread operational use, but it is too important to ignore.
Privacy professionals should be aware of its potential, advocate for exploratory pilots where appropriate, and engage with vendors and regulators to track its progress. For now, federated learning on its own remains a practical tool for many organizations, but as homomorphic encryption matures, the two together may become the foundation of privacy-preserving AI in both centralized and decentralized environments.
Ultimately, the combination promises more than technical innovation — it promises a new trust architecture for AI. In a world where data cannot always move freely across borders and where regulators increasingly demand mathematical rather than contractual guarantees, homomorphic encryption in federated learning may be the bridge that allows AI to thrive without sacrificing privacy.
The challenge is to manage expectations carefully, investing in research and pilots today while acknowledging that widespread adoption will require further breakthroughs. In doing so, privacy leaders can position their organizations not only to meet the present compliance standards but also shape the future of data protection in the age of AI and blockchain.
Nicoletta V. Kolpakov is the director of law and policy at the Cirrus Institute for AI and Data Governance.
