Does the deployment of 5G require a DPIA?
Introduction
In the last year, significant momentum has started to build around fifth generation (5G) for wireless communications technology. The new generation of mobile network technology brings with it new capabilities that over time will allow for a whole new range of previously unthinkable use cases for consumers, business and public administration. However, as also observed by data protection authorities, from a data protection and security perspective these new capabilities bring along new risks that need to be considered and managed. This prompts the question: Does 5G require the execution of DPIAs?
In this paper, we will attempt to explain how 5G has evolved compared to the previous generations of mobile technology, its key technological features and lastly, why this warrants attention from a data protection perspective, and finally we will discuss whether the deployment of 5G requires the execution of a data protection impact assessment.
Generations of Mobile Technology
Each generation of wireless technology has had its hallmarks of innovation:
The first generation of mobile technology, 1G, was about voice. The ability to use a phone in a car, or anywhere else, really took root here.
The advent of 2G introduced a short-messaging layer—pieces of which can still be seen in today’s texting features.
3G led a wave of smartphone advances, which produced a new ecosystem of mobile apps. In the meantime, growing data usage generated a reinforcing cycle of network upgrades
4G-LTE delivered high-speed mobile broadband, fuelled the “on-demand” economy, and powered “anytime-anywhere” streaming video, social media, and gaming.
5G, though still not a term officially used for any specification or in any official document made public by standardization bodies, will deliver low latency and gigabit speeds, which is expected to drive unparallelled innovation, with companies anticipated to be early adopters and beneficiaries.
Features
The main feature and capability to be provided by 5G goes far beyond smart phones, as it directly impacts the development of the Internet of Things (IoT) by allowing the user to simultaneously connect to the multiple wireless technologies and switch between them. The major difference, from a user point of view, between current generations and expected 5G techniques include lower outage probability, better coverage and higher data rates available at cell edge, smarter network and services based on edge computing, lower battery consumption, multiple concurrent data transfer paths and around 1GB/s data rate in mobility.
This way, 5G will have the convenience of ultra-reliable, low latency links that will empower industries to invest in new use cases that will be dependent on robust remote control of critical infrastructure. Entire supply-chains and delivery of services can be fundamentally reshaped. With its gigabit speeds and low-latency response times, 5G can be considered as the “ingredient” that can make innovative use cases live up to their potential, such as connected cars, virtual reality, cloud-connected traffic control, remote surgery, smarter cities, and other applications that depend on essentially instantaneous response and data analysis. From healthcare to consumer entertainment, the possibilities are virtually limitless.
A Data Protection Perspective
Key strengths
Compared to 3G and 4G, 5G promises a significant step forward with regards to anonymised user authentication and secure end-to-end communications, which will broadly strengthen the security posture of our mobile networks. These new security features may however not always be activated by default in the network equipment or they may be implemented in a way that makes it possible to be bypassed. Implementation will therefore greatly depend on how operators will deploy and manage their networks.
Moreover, to protect the data and the identity of its users, 5G introduces an optional feature called subscriber privacy, which encrypts the user’s permanent identity whenever it is transmitted over the air.
From a data protection perspective these new capabilities are a significant step forward. But the decision to take this step forward still needs to be taken by the operators deploying the 5G networks. This necessitates a steadfast focus of the operators to prioritise security and privacy, and not only be driven by commercial objectives, when putting together their 5G deployment plan.
Risks
The implementation of 5G could increase the data protection risks already associated with previous generations of mobile telephony. In a recent technical report, the Spanish Data Protection Authority (AEPD), presented an initial analysis of the risks that 5G and the technologies that use it may entail. The risks detected by the AEPD include the following:
- More accurate geo-location of users: 5G requires more base stations located in a lesser distance from one another. This makes locating individuals geographically based on the network much more precise.
- Profiling and automated decisions: the increase in the amount and the data categories that circulate through the network multiplied by the number of devices that each citizen will connect through 5G will allow for the arrival of a precise individualisation of services, through automated decisions. With the personalised services, a risk of bias in automated decision-making increases.
- Possible loss of user control over personal data: higher speeds can lead to failure to inform Data Subjects about the elements of processing, in response to unmanageable amount of data. Consequently, this might affect the rectification, access, and erasure rights due to the rate of transmission and extent of sharing of data.
- Absence of a homogeneous security model: 5G allows for the existence of multiple agents in the chain of communication through services deployed by different service providers. Each agent may comply with different security standards and may include segments corresponding to protocols of the first generations. Therefore, the global security will equal that of the weakest element.
- Exponential increase in the cyber-attacks surface: increase in the services, the connectivity, the interoperability, the input points and the management points to the network will increase the risk of threats to privacy to materialise.
These risks needs to be considered as part of the deployment of 5G, and appropriate mitigations need to be identified and put in place.
Data Protection Impact Assessment
Legal framework
According to Article 35 (1) of the GDPR, Controllers are required to perform DPIAs where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons
The GDPR does not define ‘high risk’ nor DPIA. However, some criteria for constituting ‘high risk’ are identified in legal provisions and guidelines. According to WP29, high risk may be involved not only in processing large amounts of data or sensitive or special categories of personal, but also if processing operations are carried out using new technologies and for which the Controller has not carried out a DPIA before. This implies a systematic process to investigate, identify and minimise risks in a project or big data platform for the protection of personal data.
The need for DPIA execution in the deployment of 5G
The use of a new technology
New technology can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms. Hence, the GDPR in its recitals (89 & 91) makes it clear, that use of a new technology can trigger the need to carry out a DPIA. Indeed, the personal and social consequences of the deployment of a new technology may be unknown and a DPIA will help the Controller to understand possible risks.
Huge volumes of data
The processing of personal data on a large scale is one of nine criteria which may act as indicators of likely high-risk processing, according EDPB/Article 29 working party.
5G will connect multiple devices and process significantly higher volumes of data with minimal delay. Therefore, 5G networks will provide the data subjects with the capability of creating, storing and sharing more personal data on the web. The important differences, compared to threats of existing networks, would be the nature and intensity of potential impacts of privacy risks materialising. This is amplified by 5G’s wider footprint into economic and societal functions as a result of its performance, namely IoT driven use cases and security capabilities allowing it to service more sensitive and critical needs than previous mobile generations.
Extracting and tracking the precise location of the device´s user
Extracting and tracking the precise location of the device´s user can provide more capabilities for location-based applications. However, the same capability can bring out location-based privacy vulnerabilities
The cell phone towers currently in use, which enable 2G, 3G and 4G cell phones to work properly, are on average positioned about 1.6 km apart from each other. The distance may of course vary greatly from rural to urban environments. For example, propagation challenges may in dense city areas require 4G cells with only a few hundred meters between them. Consequently, cell phone carriers will as part of the delivery of their mobile services have knowledge of the location of their subscribers to be able to provide the mobile connection. But even with the current density of 4G networks, it will rarely be possible to track individuals to specific addresses in cities – and even less possible in rural areas. Please note, that the ePrivacy strictly regulates, what European mobile operators can use this location for, without having obtained explicit consent for their subscribers for other purposes. This will not change with 5G.
5G cell phone towers will be located more densely. This is partly to increase coverage and capacity in the networks, but also because the radio spectrum 5G will utilise (3.5, 26 and 28GHz) will have a shorter range and cannot as easily penetrate buildings, as sub 1GHz spectrum. This concentration of 5G cells means that mobile operators as part of the provision of their services will have access to and collect significantly more detailed information on the geographic presence of their subscribers. This processing can reveal a lot about them and make possible further personal data processing by leveraging the more precise information about location.
It is arguable, that such precise tracking of data subjects could be considered as public monitoring, which is a type of processing that always requires a DPIA, according to Article 35/3 of the GDPR. This is defined “as a systematic monitoring of a publicly accessible area on a large scale”. Please note for example, that the Polish DPA explicitly has called out the processing of location data by telecom operators, as an activity that requires the completion of a DPIA.
Profiling and automated decision making
The GDPR defines profiling in Article 4(4) as: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Automated decision-making has a different scope and may partially overlap with profiling. Solely automated decision-making is the ability to make decisions by technological means without human involvement.
Article 35/3 (a) of the GDPR highlights the need for the controller to carry out a DPIA in the case of: a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
In fact, profiling and automated decision making with legal or similar significant effect are two of the concrete set of processing operations that require a DPIA due to their inherent high risk, according to EDPB/WP29.
Since 5G may add these risks from a data protection perspective, the deployment of this technology to use-cases that involve profiling or automated decision making is prone to trigger the need to execute a DPIA.
Conclusion
As 5G technology becomes increasingly widespread, it is imperative that it is deployed in a way that respects the rights of individuals. 5G will, unrivalled by any of its mobile predecessors, be a powerful and critical infrastructure that will link our lives and occupations together.
With data protection by design and by default as well as DPIAs as legal obligations (at least under EU data protection law), Controllers and Processors have the justification and the tools at hand to mitigate possible personal data protection risks connected with new technology, including 5G. The expertise and best-practices from all parties involved (operators, cloud service providers, equipment vendors, government as well as users) are required to ensure a privacy and security conscious deployment of 5G that fosters trust in the technology from users.
One effective way to make sure that all relevant aspects from a security and data protection perspective have been considered, is to carry out a detailed assessment of potential risks and to document these. The DPIA is the obvious and effective choice of tool to do so.
WLC is of the firm belief that mobile operators are required to carry out DPIAs, both for the overall deployment of 5G as a technology, as well as for the individual use cases that will be deployed leveraging the extraordinary capabilities of 5G. However, we also believe that operators should not just do this because of the legal obligation.
To fully explore the opportunities of 5G, we as a society need to have faith in the technology that surrounds us and provides our critical services. Investment in the execution of a DPIA should not be considered a compliance activity. It should be considered an important piece of documentation that provides answers to the concerns that consumers – rightfully – may have.