5G, which promises connection anytime and everywhere, is set to roll out soon. When we enjoy the network speed that will ramp up IoT connectivity, how will 5G impact our personal data privacy protection?
‘5G’ is the 5th generation of cellular network technology, said to be 10 to 20 times faster than the current 4G technology. 5G technology will contribute greatly to our data-driven economy. It is envisaged that once the 5G infrastructure is in place, Internet of Things (‘IoT’) will become more pervasive and successful. The much quicker wireless internet connectivity of 5G resulting from its higher bandwidth and lower latency could bring about many benefits and enabling newer applications and technologies, such as virtual reality (VR), augmented reality (AR), telemedicine and autonomous vehicles. The potential for new business models and novel services could be limitless.
However, as we enjoy the benefits of the new technology, how will 5G impact personal data privacy protection?
The vision of 5G technology is “always available”, ie constant connectivity at anytime, anywhere, which can be achieved by an omnipresent of IoT devices, such as smart lampposts, smart home appliances, connected cars and more. While data would increasingly improve handiness for service users, and large amounts of performance data could improve service quality, it would also indicate continuous tracking and monitoring of individuals via the enormous amount of personal data generated from their smartphones, IoT devices, and use of various services. More stringent measures will need to be put in place to protect people’s anonymity and information, keeping personal data from falling into the wrong hands.
Location privacy, in particular, of individuals may be more readily compromised in 5G networks. For 5G to achieve “anytime, everywhere”, not only would location data be tracked by more devices continuously in order for more personalised services to be provided on-the-spot, the logging of these geo-locations would become highly precise. 5G signals have a considerably shorter range than those of 4G due to higher frequencies and shorter wavelengths, meaning more cell towers would need to be installed for stable reception. As a result, location tracking via cell towers could become much more precise, possibly pinpointing individuals’ locations instead of an approximation.
In heterogeneous networks like 5G, various entities are involved in the provision of services. These may include mobile network operators, cloud service providers and third party application developers. The network itself is also built with multiple types of networks, utilising different access technologies. The hardware infrastructure and the network architecture of 5G are described as a “multi-vendor environment” by industry experts. Thus personal data could be routed to various data users/processors, making it difficult to track the storage of data, ensure meaningful consent, and maintain robust security and transfer protocols.
Due to the sheer number of devices and sensors that would perceivably connect to the 5G networks, together with the different entities and access technologies that would be connected, an increased amount of personal data (including sensitive personal data such as medical data on smart health devices) would be transmitted. Meanwhile, IoT device developers may be tempted to compromise security of IoT devices for lower costs, higher innovative functionalities and shorter time to market. In the 5G environment where the amount of devices connected and personal data transmitted is ever-growing, the mismatch between volume or sensitivity of data and data security measures indicates a higher risk of unauthorised access and security breaches.
Getting it Right
5G is set to roll out soon, with heavy investments from telecommunications companies and various service providers. Technology will always be evolving, so should the policies and practices to ensure compliance with the laws and regulations, including those relating to privacy protection.
Lawyers must get it right with clients and engineers, merge legal and technological knowledge with competencies not only to comply with the Personal Data (Privacy) Ordinance, but also to follow good data protection practices such as data minimisation, transparency, purpose specification and informed consent. 5G service providers should adopt ‘Privacy by Design’, ensuring privacy protection from the get-go (ie designing the operation flows from an angle of personal data privacy alongside the business models, and ensuring personal data protection for the entire data lifecycle from collection to use, retention, security, transfer, and destruction), instead of treating it as an afterthought.