The misuse of personal data in the Facebook/Cambridge Analytica scandal was a clear demonstration that certain values underlying data protection rules are essential for democracy. With 5G, parts of the infrastructure and supply chain are owned by actors operating under authoritarian regimes, which might create further problems for citizen data protection. At the same time, democratic processes like voting, public participation and digital citizen services will increasingly start relying on 5G infrastructure. With this in mind, it is of utmost importance to protect personal data from exploitation through strong data protection regulations.
In May 2018, the General Data Protection Regulation came into effect in the EU. This is a set of data protection rules that apply to all companies in the EU – including those not based within the EU but operate inside the EU market. It aims to strengthen rights and foster trust in the digital age. This means giving people greater control over their personal data while providing a level playing field for businesses. One core component of the GDPR is consent – by giving or invoking consent, users establish control over their data.
The GDPR works under seven basic processing principles regarding data – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security (integrity and confidentiality), and accountability. These principles are also translated into specific rights for a natural person, such as the right to be informed regarding the processing of personal data. The user has the right to always access their personal data, to correct it, or to erase it entirely. On top of this, the user also has the right to be notified about any rectification or erasure of personal data. As the user gives consent for data processing, this right can also be invoked by the user. Automated decision-making processes, including profiling, is prohibited by GDPR.
The regulations have been designed to be technologically neutral, which means that the same rules apply to all service providers, controllers, and processors – regardless of the technology used to collect or process data. In this regard, the GDPR also applies when processing data through artificial intelligence, robotics or 5G.
However, the processing principles set by the GDPR are challenged by 5G and the increasing volume of data shared on the web. 5G technology impacts most GDPR obligations and user rights. For example, it is crucial to clarify how high-speed transmission affects the right to be informed, the right to rectification or the right to restriction of processing. The high density of cells in 5G infrastructure will also lead to location privacy issues, as more data about a subject’s location will be transmitted – and identification through location data could potentially be used for profiling and tracking. These could become a particular issue with 5G, as there is likely to be more automated decision-making.
Furthermore, 5G networks support the connection of more IoT devices. In the IoT environment, it is often unclear which company has the right of accessing or collecting data from different devices. It will therefore become more difficult for users to exercise their rights. Additionally, most mobile 5G communication is still IP-based, which is classified as being personal data. The allocation of these IP addresses could result in other personal data being factored into privacy concerns.
“While the GDPR is considered a strong instrument to ensure digital technologies are consistent with democratic values, it may not be sufficient alone”, concludes an EPRS paper on AI, data protection and elections (p. 2). Simply put, the question remains whether the GDPR is really sufficient to be able to protect data processed by 5G networks. Nevertheless, there are possible solutions to bring 5G and the GDPR together. 5G security measures compliant with GDPR could be implemented by anonymisation or pseudonymisation of data, as well as through privacy by design, in order to maintain end-to-end data protection.
However, there is still demand for a new e-Privacy law to protect the right to privacy in the digital age. It is argued that data is not secure even when processed by the most technologically advanced companies. There has also been criticism around the lack of obligations for all communications providers to seek consent – “This is precisely the uncertainty which must be avoided. We cannot put data controllers in a position where they are required to simultaneously apply a modernized data protection regulation alongside outdated and fragmented rules on communications data which were designed to regulate a market and communication technologies which have changed beyond recognition in the last 17 years” (Giovanni Buttarelli, 2018: The urgent case for a new ePrivacy law). The newly proposed e-Privacy regulation aims to fix these digital market imbalances, but the e-Privacy Directive is still currently under negotiation.