5G and the EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) is one of the hottest topics in privacy, as 5G is within communications. Interestingly, both the EU GDPR and the first release of a 5G standard will arrive in 2018. In this blog post we discuss important impacts of the EU GDPR on 5G.
This blog post includes reflections and assumptions of the authors from a technology research and operational point of view. By no means shall the following blog be considered as legal guidance or advice in terms of fulfilling GDPR or benchmarking compliance.
The EU GDPR is an EU regulation (2016/679) designed to harmonize personal data protection laws across the EU member countries. It has entered into force but shall apply from May 25, 2018. Coincidently, the timeline of the EU GDPR applicability matches the 5G standardization release plan. This is, in fact, a good coincidence, because 5G standards have addressed privacy issues right from the beginning and the first release of 5G already has many important privacy features.
Big data, which often contains personal data, will be at the heart of 5G, meaning that the protection of personal data becomes very relevant for 5G adoption. Therefore, it is critically important to properly understand what aspects of the EU GDPR – which includes many new consumer rights and privacy assurance requirements – will have an impact on 5G. To that end, we are going to first summarize the EU GDPR and then pick out the five most relevant takeaways for 5G. If you are already familiar with the EU GDPR, you may want to directly jump to the takeaway section.
Summarizing the EU GDPR
There are 99 articles – or, the actual enforceable laws –, in the EU GDPR, grouped into 11 chapters. What follows is our summary of each chapter on selected articles that we deem most relevant at least for vendors, operators, or standardization.
- General provisions (Art. 1 – 4)
The EU GDPR protects the right of natural persons to the protection of personal data and defines rules relating to the processing and the free movement of personal data (Art. 1 – Subject-matter and objectives). Processing of personal data of subjects within the EU has to adhere to the EU GDPR (Art. 3 – Territorial scope) even if the processing takes place outside the EU. Personal data in the context of the EU GDPR is defined (Art. 4 – Definitions) as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". Additionally, the important distinction between "controller" and "processor" is defined. The "controller" is the entity determining the purpose and means of the processing of personal data, while the "processor" processes personal data on behalf of the controller.
- Principles (Art. 5 – 11)
The following principles for processing personal data are defined in Art. 5 – Principles relating to processing of personal data: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality. The controller is responsible for and has to demonstrate compliance with these principles (accountability principle). In Art. 6 –Lawfulness of processing, it is laid out under which conditions it is lawful to process personal data. Some important conditions are that the data subject has given consent to processing or it is necessary for compliance with a legal obligation. The controller should be able to demonstrate the consent of a data subject to the processing of personal data (Art. 7 – Conditions for consent). Furthermore, the data subject shall be able to withdraw the previously given consent easily any time. Generally, the processing of personal data revealing racial or ethical origin, political opinions and others is not allowed (Art. 9 – Processing of special categories of personal data) unless special conditions are met, e.g., explicit consent from the data subject, or for substantial public interest.
- Rights of the data subject (Art. 12 – 23)
The EU GDPR gives the data subject several rights. When personal data is collected from a data subject the controller has to provide the data subject information about its own identity, contact information and others (Art. 13 – Information to be provided where personal data are collected from the data subject). The same applies if personal data has not been collected directly from the data subject but from another source (Art. 14 – Information to be provided where personal data have not been obtained from the data subject). A data subject has the right to get information from the controller about the data subject’s personal data the controller is processing (Art. 15 – Right of access by the data subject) with additional information like the purpose of the processing. The right to correct/rectify personal and to add data to incomplete personal data can be found in Art. 16 – Right to rectification. A data subject has also the right to the deletion of personal data without undue delay (Art. 17 – Right to erasure (‘right to be forgotten’)) and some conditions not further detailed here. Furthermore, a data subject has the right to restrict the processing of personal data (Art. 18 – Right to restriction of processing) under some conditions and has the right to object (Art. 21 – Right to object) to the processing of personal data. Additionally, a controller needs to have the ability to export or import personal data (Art. 20 – Right to data portability) in a structured, commonly used and machine-readable format if requested by the data subject. A data subject has the right not to be subject to a decision based solely on automated processing (Art. 22 – Automated individual decision-making, including profiling), including profiling, which affects him or her.
- Controller and Processor (Art. 24 – 43)
Appropriate technical and organizational measures have to be implemented by the controller (Art. 25 – Data protection by design and by default) at the time of determining the means of processing and actual processing itself while taking into account the state of the art, the cost of implementation and the risks. The processor shall be governed by a binding legal act with regard to the controller on processing of personal data. (Art. 28 – Processor). The processing of personal data has to be recorded (Art. 30 - Records of processing activities) indicating, e.g., the purpose of the processing. The EU GDPR also specifies that the controller and processor shall secure the processing of personal data (Art. 32 – Security of processing) which includes, besides others, mechanisms to use pseudonymisation and encryption. In the case of a personal data breach the controller has to notify the supervisor authority (Art. 33 – Notification of a personal data breach to the supervisory authority) within 72 hours after having become aware of it and shall inform the data subject about the personal data breach (Art. 34 - Communication of a personal data breach to the data subject) if there is a high risk to the rights and freedoms of natural persons. The controller shall also do an assessment of the impact of the envisaged processing operations on the protection of personal data (Art 35 – Data protection impact assessment), especially when using new technologies. The controller and the processor shall also appoint a data protection officer (Art. 37 / 38 / 39 – Designation / Position / Tasks of the data protection officer) who is responsible for advising and monitoring compliance with the EU GDPR. Establishment of data protection certification mechanism is also encouraged (Art. 42 – Certification).
- Transfer of personal data to third countries or international organisations (Art. 44 – 50)
Transfer of personal data to a third country or an international organization is only allowed (Art. 44 – General principle for transfers) if compliant to some conditions like that the third country has an adequate level of data protection (Art. 45 – Transfers on the basis of an adequacy decision) or other conditions.
- Independent supervisory authorities (Art. 51 - 59)
This chapter describes the roles and minimum structure of the supervisory authorities in the individual member states.
- Cooperation and consistency (Art. 60 - 76)
The EU GDPR also sets up a new board called the "European Data Protection Board" (Art. 68 – European Data Protection Board) which replaces and extends the Article 29 Working Party as was set out in now-repealed directive 95/46/EC. The main task of the European Data Protection Board will be to monitor and ensure the consistent application of the EU GDPR and to issue guidelines, recommendations and best practices. This chapter also deals with cooperation between the different supervisory authorities and the European Data Protection Board.
- Remedies, liability and penalties (Art. 77 – 84)
Within this chapter rights for a data subject to lodge complaints (Art. 77 – Right to lodge a complaint with a supervisory authority) and others like right to compensation (Art. 82 – Right to compensation and liability) are defined. It is also defined that the penalty on controller or processor is 10 million EUR or 2 percent of total worldwide annual turnover (whichever is higher) of the preceding financial year for infringements on obligations such as child's consent, data protection by design and default, data protection officer, code of conduct and certification, etc., and 20 million EUR or 4 percent (whichever is higher) for infringements on obligations such as basic principles of processing, conditions for consent, data subject's rights, transfer of personal data to third country of international organization, etc. (Art. 83 – General conditions for imposing administrative fines).
- Provisions relating to specific processing situations (Art. 85 – 91)
The processing of personal data in special situations like employment context (Art. 88 – Processing in the context of employment) and others is defined here.
- Delegated acts and implementing acts (Art. 92 – 93)
In this chapter it is defined what power the Commission gets with respect to the GDPR.
- Final provisions (Art. 94 - 99)
The GDPR is going to be applicable from 25 May 2018 (Art. 99 – Entry into force and application) and the old directive 95/94/EC is repealed from that day on (Art. 94 – Repeal of Directive 95/46/EC).
5 for 5G (takeaways from the EU GDPR)
Based on the summary above, what follows are five selected takeaways from the EU GDPR that we deem most relevant, at least for 5G vendors, 5G operators, or 5G standardization. Nevertheless, they are also generally relevant to one or more stakeholders in a connected society.
Virtualized environments are becoming fundamental to 5G mobile networks, in which, for example, virtualized network functions will be dynamically and automatically started, stopped, scaled up, or scaled down. As such, it will become increasingy impractical (if not impossible) to manually ensure that the EU GDPR privacy and security obligations are enforced at all times.
Therefore, we see automation as a key to the EU GDPR compliance, mainly for 5G operators and 5G vendors rather than 5G standardization. We stress that operators and vendors should strive for a unified security and privacy management approach which would, in an automated manner, ensure the best possible privacy in networks, monitor EU GDPR compliance gaps in a near-real-time way, ensure that needed evidence is collected in the event of a privacy breach, and perform necessary communications. Automated measures to fulfilling users' right, for example, consent, data portability, restrictions and erasure, among other rights, must also be in place.
2. Be proactive
It is indeed encouraging to see that the 5G security standard (in progress 3GPP TS 33.501) has had a strong focus on privacy from beginning. In general, data protection by design and by default should be increasingly adopted by standardization.
Different working groups in 3GPP should work in close coordination with the security working group (SA WG3), for example, when designing identifiers and protocols, and specifying test cases for privacy assurance in 5G. The same is true for vendors, for example, when implementing 5G standards and developing proprietary solutions. Vendors must have, besides data protection by design and default, privacy impact assessment built into their product development lifecycle and should advise operators about the privacy impact of new technologies. Additionally, the operators must analyze how the EU GDPR affects their business model and take proactive steps in achieving compliance, for example, by appointing a competent data protection officer.
3. Properly protect personal data
The EU GDPR obligations for protecting personal data are directly applicable to operators, which are involved in handling personal data, in contrast to vendors, which are not. Nevertheless, vendors have the responsibility to deliver appropriate technology, products, or solutions that enable operators to comply with the EU GDPR.
Special care must be given to the functions, for example, OSS/BSS, which operate on personal data. Operators and vendors must make sure that any form of data analytics on the personal data has an appropriate consent from users. In general, protection measures for personal data must be in place through hardening of nodes, encryption and integrity protection of stored personal data, anonymization and pseudonymisation of personal data (when applicable), separation of data according to purpose, authorized access, access logs and deleting of personal data when no longer required, among other actions. Effort on research topics such as differential privacy and transparency logging should also continue, as a key enabler of privacy by design.
4. Do not over-engineer
It is very important, especially for 5G standardization and 5G vendors, to take a broader consideration of the system and threat landscape, both from a technical and business point of view, when designing privacy solutions. The delivery timeline of standardization, cost of implementation, and complexity of testing are vital considerations.
The EU GDPR itself encourages taking these considerations into account. In other words, over-engineering must be avoided, meaning that technical solutions for privacy must be feasible, practical, and appropriate to risks. To that end, guidelines produced from the newly formed European Data Protection Board must be taken into consideration. To date, the Article 29 Working Party has produced guidelines on, for example, the right to data portability (WP 242), data protection officers (WP 243), and data protection impact assessment (WP 248.
5. Take obligations seriously
With penalties that can reach as high as EUR 20 million or 4 percent of total worldwide annual turnover, there is a huge financial risk for operators in case of potential non-compliance. There are also real risks to reputation or brand image. Therefore, operators must take the EU GDPR obligations very seriously, and vendors and standardization bodies must make sure that operators are able to comply with the EU GDPR.