User consent in telecom and 3GPP standardization
Owing to the revelations that some Internet companies are using and/or selling user data for additional financial gains without users being aware, the focus on user consent is increasing. A simple example is websites starting to ask user consent for using cookies when serving European visitors due to the so-called “Cookie law” from the EU.
It is only natural to ask to what extent communication service providers are (or should be) subjected to the same practices as Internet companies. After all, processing user data is at the heart of providing communication services. For example – providing voice calls requires processing user audio; ensuring uninterrupted connection requires processing user location and signal qualities; and billing requires processing call detail records.
To begin with, let us look at some key pieces of privacy legislation.
Some privacy regulations
The European General Data Protection Regulation (GDPR) is what many believe to be the start of a new generation of privacy legislation. At its core, the GDPR is an overhaul of Data Protection laws within Member States of the European Union. The GDPR seeks to protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data. This piece of legislation is still the subject of discussion as attempts were made to make it future proof, unlike its predecessor, the Directive 95/46/EC.
Many consider the GDPR to have been successful in its endeavors. The evidence would be the uptake of similar laws, largely based on the GDPR, by nations such as Brazil and India, and many can construe the recent California Consumer Privacy Act to be inspired by the GDPR.
Due to the prevalence of the GDPR, the extra-territoriality it possesses, and its influence in other legislation, this blog post shall simply view things from its perspective.
Legal bases for data processing
The first principle of data protection under the GDPR necessitates that all personal data shall be processed lawfully, fairly, and in a transparent manner. Due to this, a legal basis for processing must be satisfied before any organization can process any personal data.
The GDPR provides six legal bases in which data processing is legally permitted. Unless an organization, for example, a telecom service provider, can show that a processing activity falls within at least one of these, any data processing is considered unlawful.
These six legal bases are listed below in what we at Ericsson consider the order of relevance for the telecoms industry. We base our ordering on our own observations, how often said legal bases are used when reviewing our Records of Processing Activities document as required under Article 30 of the GDPR, and our day to day activities.
The processing is necessary for an organization's own legitimate interests or the legitimate interests of a third party. For telecom service providers, this is perhaps most prevalent within the field of fraud prevention and network optimization.
The individual has given clear consent for their personal data to be processed for a specific purpose, which usually goes beyond usual telco services, requiring additional use cases of data processing. For telecom service providers, this is perhaps most prevalent when discussing the initial use of data, when accessing an application, collecting location or performing marketing activities and the user needs to accept a privacy notice and consent before processing can begin.
The processing is necessary for a contract an organization has with the individual, or because they have asked the organization to take specific steps before entering into a contract. For telecom service providers, perhaps this is most seen through subscription contracts with end-users and consumers.
The processing is necessary for an organization to comply with the law (not including contractual obligations). For the telecom service provider, lawful intercept and regulatory location services are examples.
The processing is necessary for an organization to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law. This is a rarity within telecoms but may sporadically occur.
The processing is necessary to protect someone’s life. Within telecoms, this base is not needed, except in some extremely rare circumstances like natural disasters.
Under the GDPR (and other privacy laws inspired by the GDPR from around the world), consent must be freely given, specific, informed, and unambiguous. It also means that, for users in the European Union, if consent is chosen as the legal basis for processing, users have to agree actively through an affirmative action (opt in).
This has sparked a change in how a lot of companies operate, especially when most of them are used to seeing consent as the main basis of processing. Prior to the GDPR, many companies took the stance of automatically opting an individual into processing, either through having boxes pre-ticked, or informing the individual that they consented to processing simply by using the service.
What we have observed, both within Ericsson and through working with a wide array of suppliers and service providers, is a decreased use of consent as a basis for processing within telecoms since the implementation of the GDPR. Reasons for the decrease can be the additional requirements needed to obtain, retain and manage consent, and an uncertainty about being able to keep the data should its collection be brought into question. The ever-changing nature of the telecoms industry, the need for innovation, and an overwhelming customer need for simplicity are all factors we believe are causing this trend.
Consent can be obtained through many different channels and methods, provided that the same core qualities exists. As mentioned earlier, under the GDPR, consent needs to be freely given, specific, informed, and unambiguous. If all of these qualities can be demonstrated, then the technique can vary from ticking a box, to writing a letter, to choosing technical settings, or preference dashboard settings.
It should go without saying, but the obligations do not end after obtaining consent. Consent should be viewed as a dynamic part of the ongoing relationship of trust with the data subject (e.g. the subscriber), not a one-off compliance box to tick and file away, ongoing choice and control is needed. The right to remove consent at any time in as easy a manner as giving consent is one of the defining features of the GDPR.
Past use cases in 3GPP
Privacy is a very familiar and recurring topic in 3GPP. Let's just look some years back. In 2016, 3GPP conducted the dedicated study TR 33.849 in order to derive privacy principles to be followed in 3GPP when designing new systems, security architectures, and protocols. Then in 2018, when 5G was being designed, the study TR 33.899 elaborately studied several privacy enhancing mechanisms. The results from those studies were then adopted in several formal technical specifications. Below, we discuss the idea of consent in 3GPP by delving into some selected use cases or features.
Minimization of Drive Tests (MDT) is a feature that provides a more simple and efficient way for troubleshooting or verification of the radio network, to replace the traditional drive testing. It involves the processing of privacy sensitive data like the GPS location of a specific subscription (IMSI) or mobile phone (IMEI). Further to this, the data collection could be performed at short and periodic intervals, thus increasing the sensitivity of such a collection over time. Therefore, 3GPP made it mandatory to obtain the user’s consent before activating the MDT functionality. This could be done via customer care i.e. having a representative calling the subscribers. Consent submission via SMS or other channels is also a possibility.
Another feature concerning the location of mobile phones is the LCS feature. It is the capability of an operator network to support standardized mechanisms for locating target mobile phones. The accuracy of locations ranges from decimeters to within sub-meter in horizontal direction and from decimeters to within 3 meters in vertical direction. The consumers of a target mobile phone’s location could be the end users or the mobile phones themselves, network operator, service provider, value added service providers and the operator network's internal operations. When LCS is used for commercial purposes, 3GPP has made it mandatory to check the user’s consent, called privacy profile, in LCS, which may be stored as part of the subscription information. The user consent may be collected as part of a subscription contract.
New 3GPP study on user consent
A new study TR 33.867 on user consent has just started and is in progress in 3GPP as we write this blog post. The aim of starting this study is to focus on and revisit the topic of user consent. The need for this revisit is not only the uptake of new regulations but also uncharted territories owing to new 3GPP features like the following ones.
The Network Data Analytics Function (NWDAF) is a part of the 5G architecture that provides analytics information to 5G network functions and Operations and Maintenance (OAM) services. The analytics information could be statistical information of past events, or predictive information of future events. Said analytics could be either related to the network itself (e.g. load, performance, automation, and quality of service) or the users (e.g. mobility, communication, expected and abnormal behaviors). While user consent may not be relevant for the former, it is important to consider for the latter, especially when the analytics information is shared with entities outside the operator network.
Edge computing is an architectural concept that natively enables operators and third-party services to be deployed close to the mobile phone. While it promises several benefits like lower latency, higher bandwidth, and reduced backhaul traffic, user consent may come into play when the users' locations, identifiers, applications, and session information are used or exposed in non-traditional ways between different network entities.
If there is no initial legal basis for processing, then everything following is classified as illegal under the GDPR. Therefore, it is imperative to not only have a legal basis for processing, but to have the correct one.
Consent is one of the most discussed legal bases for data processing due to the historical nature and the formerly easy way to obtain it. In the post-GDPR world, the dominant position of consent in a telecom context has shifted somewhat, as other bases such as legitimate interest and contract come to the fore. Reasons for this is they are flexible, have a clearer aspect of permanence, and little interaction is needed prior to collection. Therefore, when making the choice as to which legal basis of processing to use, consent may not be the first port of call.
Consent has been, and will always be, vitally important in many areas, even within telecoms, but for most activities which are conducted in this arena, the emergence of new bases has created a more balanced landscape.
Privacy topics are always at the top of agendas at Ericsson. Our contributions to the 3GPP in this area will continue. Should consent be deemed necessary for any use cases, we will investigate technical means to achieve it.
Learn more about Ericsson and standardization.
Learn more about the 3GPP 5G security standard.
Sep 17, 2021 |Blog post
Follow up on user consent in telecom and 3GPP standardization
5G, Research, Security
Aug 01, 2022 |Blog post
AI and privacy: Everything you need to know about trust and technology
AI and machine learning
Sep 21, 2022 |Blog post
Exploring privacy-preserving data analysis
Connected vehicles, Data and analytics
Like what you’re reading? Please sign up for email updates on your favorite topics.Subscribe now
At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.