What are my digital rights, and how can I exercise them? What digital footprint do I leave online, and how is it being used by companies and governmental entities? Who has access to my data, and how and why do they use this?
The European Convention on Human Rights was drafted back in 1950, and already included the right to respect private and family life. Since then data protection rights have evolved worldwide and especially within the EU – the latest accomplishment in Europe being the General Data Protection Regulation (GDPR). Privacy rights of data subjects include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
5G technology is expected to increase and revolutionise the generation and aggregation of data, potentially challenging data protection in new ways. For instance, the rights of information and access granted to data subjects by the GDPR state that individuals have the right to be informed about the collection and processing of their personal data. They can also lawfully request access to the data that is being processed. However, 5G ecosystems may make this more challenging as they can contain multiple service providers that are located across borders. The fact that data will be passing through various processing entities, based in different jurisdictions, could potentially complicate the exercise of these rights granted to individuals by law.
As 5G offers new services – ultra low latency, much higher broadband capacity, beamforming, and network slicing among others – business models and traditional value chains may change in ways we cannot anticipate today. The consequences for data protection issues also remain unclear.
Likewise, 5G network architectures may interfere with an individual‘s data protection rights through location tracking. Due to the high density of small cells, the locations of individuals can be tracked accurately and seamlessly. Accessing or processing location data may prove helpful for persecuting fugitive criminal offenders, but at the same time poses risks for the privacy of individuals who can be continuously tracked on these networks through mobile phones and other interconnected devices – possibly endangering individual freedom.
Data could also be used in profiling for commercial and political ends, as seen in the Facebook/Cambridge Analytica case. GDPR rules must now be applied to all future data mining and processing activities for commercial reasons within the EU – regardless of the technology being used. With 5G, however, it is anticipated that users will be generating a vast multitude of data. As a result, it is necessary to clarify how specific legal issues, such as the main data processing principles, data subject’s rights, suppliers’ obligations, or the international transfers of personal data, may apply in this new environment.
The security of data processing demands both technological and regulatory measures. In terms of technology, the two concepts of “secure by design“ and “data protection by design” are closely linked – “If the preconfigured settings are by default adhering to a high level of security protection, it is reasonable to expect that personal data will also be subject to a high protection level. On the other way round, as security is a fundamental principle of data protection, privacy-friendly settings will also preserve by default the security of personal data.” (ENISA, Recommendations on Shaping Technology according to GDPR provisions, p.20)
To show how the arrival of 5G may complicate data protection, it is helpful to clarify the meaning of personal data and its protection. “Non-personal data” are data that do not relate to an identified or an identifiable natural person, such as data on weather conditions generated by sensors. “Personal data”, on the other hand, is defined by the GDPR as any information with which a natural person could be identified – directly or indirectly. Such information includes names, identification numbers, location data, an online identifier, or any other data concerning the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Sometimes users are not aware of what personal data they are freely sharing and making available online, along with how this data will be used, and by whom. There are different types of online trackers – either only functioning on a particular site/app, or those that span across different websites and involve the share and sale of data among them. However, the right to data portability in the GDPR states that a natural person has the right to transmit and receive all personal data concerning him or her. This means that companies do not own or control personal data. In a more digitally connected world, it might be difficult to meet and enforce the principles behind the GDPR rules as providers will be spread across multiple jurisdictions.
On the other hand, according to the EU Commissions’ regulation from 2019, companies and public administrations should be allowed to store and process non-personal data wherever they choose in Europe. In the EU’s data strategy, the economic value of data is noted, particularly for being the basis behind many new products and services – and enabling greater personalisation in these – as well as being useful to improve government services.