Security by Design
Security by design refers to making security the key element of the configuration of products, services or applications, and thereby preventing any privacy risks from occurring. When designing – or redesigning – an IT system, the way an application or device processes personal data (e.g. location data or access to device files) needs to be considered. This is the case if an IT system automatically – and irreversibly – anonymises, pseudonymises or encrypts data without a specific aim. The security functionality would be inherent and wired in. There are four criteria for privacy by design – data minimisation, minimal level of processing, storage time minimisation, and minimal accessibility to data. Unfortunately, how we can securely design the IoT and 5G networks has not yet been clearly established through protocols.
However, some ideas do already exist – for example, when securing the IoT environment facilitated through 5G technology the central focus should be on expanding the existing security protocols to match contemporary technology. Although it has also been proposed that when transferring IoT data, the principle of proportionality should be respected. A proposed end-to-end security approach would instead shift the attention of attacks towards the devices themselves.
Nevertheless, the Council of the European Union underlined in its Conclusions of December 2019 that the, “increasingly complex, interconnected and rapidly evolving technology calls for a comprehensive approach and effective and proportionate security measures with focus on security and privacy by design as integral parts of 5G infrastructure and terminal equipment.”
European Parliament, 2019, Artificial intelligence, data protection and elections
European Commission, 2020, Joint Statement by Vice-President Jourová and Commissioner Reynders ahead of Data Protection Day
European Commission, EU data protection rules
European Commission, 2019, Questions and Answers – Commission recommends common EU approach to the security of 5G networks
European Commission, Rights for citizens
European Commission, Non-personal data
European Data Protection Supervisor, Shaping a Safer Digital Future: a New Strategy for a New Decade
European Commission, Commission's guidance on free flow of non-personal data Q&A
Intersoft Consulting, Right to data portability - General Data Protection Regulation
DLI, Dissolving Privacy, One Merger at a Time: Competition, Data and Third Party Tracking
Policy Review, Algorithmic systems: the consent is in the detail?
European Commission, European data strategy
European Parliament, 2020, Draft report on a European strategy for data
Rizou, Alexandropoulou-Egyptiadou and Psannis, 2020, GDPR Interference With Next Generation 5G and IoT Networks
European Commission, 2019, Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union
European Data Protection Supervisor, The urgent case for a new ePrivacy law
European Union Agency For Network and Information Security, 2018, Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default
Liyanage, Salo, Braeken, Kumar, Seneviratne and Ylianttila, 2018, 5G Privacy: Scenarios and Solutions