European Data Protection Supervisor
Le Contrôleur Européen de la Protection des Données

European Cybersecurity Month 2020: Time for clarity on 5G, security and privacy in the “new normal”

European Cybersecurity Month 2020: Time for clarity on 5G, security and privacy in the “new normal”

Monday, 19 Octobre, 2020

Many might associate the month of October with shorter days and all things spooky. But it should also be known as the month of all things cybersecurity.

European Cybersecurity Month is an annual campaign that takes place across Europe every October. Its aim is to raise awareness of the risks, opportunities and the state of art in the technological infrastructures that surround and support us in our daily life.

The COVID-19 pandemic has caused an explosive surge in the digitalisation of everyday life in an irreversible way. At the same time, a type of technology that has emerged, and is bound to accelerate the digitalisation of our lives in an unprecedented way, especially after receiving particular attention for its potential, is 5G. Apple has just presented their first 5G iPhones to the world.

1. So what is it that makes 5G so special?

The 5th Generation of cellular (wireless) network technology not only improves the wireless access but also the fixed part of the network, underpinning wireless access with interconnectivity, flexibility and advanced capabilities. It is expected to pave the way towards a hyper-connected world, a world that sees the convergence of all kinds of communication: cellular, fixed and local wireless.

There has been significant progress in Europe and around the world, in terms of 5G trials, cross-border connections, assignment of 5G spectrum and national 5G roadmaps. The EU aims to deploy 5G infrastructures and services across the Digital Single Market by 2020, with full implementation expected after 2021.

Benefits such as faster connections, higher capacity, improved service quality (in terms of the so called “latency”) for cellular communication and the possibility for billions of devices to connect with one another means that 5G could significantly change the way we live. Smart Workplaces, wireless internet for Smart Homes, virtual reality, autonomous driving, remote medical care and much more will all be improved with 5G. 5G will also make it possible for massive real-time data to be collected via digital sensory devices that are necessary for the feeding of powerful Artificial Intelligence (AI) systems.

2. 5G: both good and bad for privacy?

All this, however, has implications for security and privacy, both good and bad.

Existing 3G and 4G mobile networks suffer from poor user authentication methods, which attackers can hack to track users and intercept communications. 5G promises to use fully anonymised authentication techniques to secure end-to-end communication to rectify these deficiencies. However, these new security features may not always be activated by default in the network equipment or they may be implemented in a way that makes it possible to be bypassed. Implementation will therefore greatly depend on how operators will actually deploy and manage their networks.

With 5G, the cells (areas covered by one antenna) are much smaller than with current technologies. Location data is therefore much more precise: as we move through an area that has 5G coverage, the path of movements combined with the timestamps of each move transmits very detailed data to network operators as to where, when and at what speed we move. Network protocols are designed so that location is part of the basic set of information exchanged. This means that location data is available to the network provider at all times, and could also be accessible to other service operators, at various levels.

Location-tracking data consists of extremely high-value information for advertising and surveillance, while being potentially very harmful for vulnerable individuals who may be targeted for political, religious or commercial reasons. Operators will have to bring this technology in line with current European requirements for location data, in particular the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

5G offers potential for the direct connection of billions of IoT (Internet of Things) devices to the internet through the Massive Machine to Machine mode. These myriads of devices (cars, autonomous vehicles, cameras, drones) will be connected to the internet without user intervention, or always on, by design and by default. This raises the need for enhanced transparency for individuals who ultimately need to know who processes their personal data, for what purposes and for how long. It also raises the need for individuals to have enhanced control over their data, using modern and efficient Privacy Enhancing Technologies and encryption.

There is also an increased risk of data breaches with 5G, due to the increased potential to collect and process much higher volumes of data concerning physical human activities and health data, among other things.

Furthermore, major 5G network and IoT device manufacturers are located in third countries outside the EU/EEA, where personal data transfers are subject to a greater risk, as data protection standards are not “essentially equivalent” to those of the EU.

EU Member States have acknowledged that there are greater security risks when the supplier and non-EU country do not have appropriate legislative or democratic checks in place. This is why the European Commission recognises the importance of 5G as a fundamental block of the necessary digital transformations and has therefore taken further steps to strengthen Europe's digital sovereignty, calling Member States to boost investments in high-capacity broadband connectivity infrastructures, including 5G.

3. The future of 5G in Europe

As 5G technology becomes increasingly widespread, it is imperative that it is used in a way that respects the rights of individuals, and is not perceived as being driven exclusively by the economic interests of powerful businesses. However, with data protection by design and by default as well as data protection impact assessments as legal obligations under EU data protection law, controllers and processors have the justification and the tools at hand to provide the appropriate technological and organisational measures to mitigate possible personal data protection risks connected with 5G technology.