5G and Location Data Privacy - The Next Generation of Challenges for Data Protection?

1. 7.9.2018
1
5GANDLOCATIONDATAPRIVACY
-THENEXTGENERATIONOFCHALLENGES
FORDATAPROTECTION?
Prof. Päivi Korpisaari & postdoc researcher Anette Alén-Savikko
University of Helsinki
SLS / 7 Sept 2018
• L. Chen, S. Thombre, K. Järvinen, E S. Lohan, A. Alén-Savikko, H.
Leppäkoski, M. Z. H. Bhuiyan, S. Bu-Pasha, G. N. Ferrara, S. Honkala,
J. Lindqvist, L. Ruotsalainen, P. Korpisaari & H. Kuusniemi: Robustness,
Security and Privacy in Location-Based Services in Future IoT: A Survay.
IEEE Access 2017.
• E. S. Lohan, A. Alén-Savikko, L. Chen, K. Järvinen, H. Leppäkoski, H.
Kuusniemi & P. Korpisaari, 5G positioning: security and privacy aspects,
in M. Liyanage et al (eds) A Comprehensive Guide to 5G Security (Wiley
Publishers 2018) 281-320.
• Two forthcoming articles by A. Alén-Savikko / P. Korpisaari (co-author)
respectively
OUR RESEARCH
SLS London 2018 Alén-Savikko & Korpisaari

2. 7.9.2018
2
Our society relies increasingly on
- wireless communication
- IoT, smart localization tech, (location) data
- location-based services (LSB)
- (5G)
 data protection / security & privacy concerns
• sharing personal location data unintentionally or unknowingly
• sensitive data (eg via tracking habits and movements)
• EU law, GDPR, ePD(R)
BACKGROUND
SLS London 2018 Alén-Savikko & Korpisaari
• art 4(1)
personal data is defined as ‘any information relating to an identified or
identifiable natural person’, while ‘an identifiable natural person is one who
can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person’
• GDPR art 9(1) “sensitive data”
GDPR

3. 7.9.2018
3
• GDPR, recital 26:
• ‘When determining whether a natural person is identifiable, account
should be taken of all the means reasonably likely to be used (...) To
ascertain whether means are reasonably likely to be used to identify the
natural person, account should be taken of all objective factors, such as
the costs of and the amount of time required for identification, taking into
consideration the available technology at the time of the processing and
technological developments.’
 restricts the use of spatial/geographic/location data (even if public data)
PERSONAL LOCATION
DATA
SLS London 2018 Alén-Savikko & Korpisaari
• location data is ‘any data with an implicit or explicit geographic or
geospatial reference, ranging from address data to radio signal-based
triangulation or IP address location’
(Leda Bargiotti et al: Guidelines for public administrations on location privacy.
European Commission. JRC Technical Reports, European Union 2016, 9)
• personal location data  ‘any location data directly or indirectly linked to
an individual or that can be directly or indirectly used to identify an
individual’; ‘This becomes possible by making any combination of
(different/several) location and personal data.’ (Bargiotti 2016, 9)
 any information, relating to, identified/identifiable, natural person
GDPR art 4, recital 26
CJEU C-582/14 Breyer
WP 136
LOCATION DATA
SLS London 2018 Alén-Savikko & Korpisaari

4. 7.9.2018
4
• updated features catering for new types of applications
• greater speed, lower latency
 reliability, capacity for numerous devices, massive connectivity, M2M
communication, automation, AI etc.
• eg millimeter (mm) waves (more banwidth), small cells (dense base
stations), massive multiple-input multiple-output (MIMO) (many
antennas), beamforming (traffic control), full duplex (simultaneous
transmission and reception of signals)
• “network slicing”; virtualization, softwarization
 multiple network functions with one hardware
5G INANUTSHELL
SLS London 2018 Alén-Savikko & Korpisaari
(Lohan et al. 2018, 282)

5. 7.9.2018
5
• Problems and challenges
- individuals position and data flows in IoT / M2M: consenting?
- personal data as an asset / method of payment
- big data / analytics: data minimization? purpose limitation? (D)PbD?
- misuse or unauthorized use of location data (secondary uses; terms of
use)
- data security: eg ill-secured devices, leakage of location data due to
hacking or accident, non-transparent privacy policies esp. with regard to
third-party use
(Lohan et al. 2018; S. Khajuria & K. E. Skouby: Privacy and Economics in a 5G
Environment. Wireless Personal Communications 95(1) 2017, 145-154)
LOCATION PRIVACYAND
SECURITY IN 5G
• Privacy assistants
• Encryption (eg identity verification, purpose specification)
• Biometrics (eg access control)
(Lohan et al. 2018, 310)
• Rights or ownership of data
(Khajuria & Skouby 2017; N. Purtova: The Illusion of Personal Data as No One’s
Property. Law, Innovation, and Technology 7(1) 2015, 83-111)
SOLUTION: ENHANCED
USER CONTROL?

6. 7.9.2018
6
• “It seems clear, however, from the above analysis that transparency is
not sufficient to constitute a user side with relevant power […]. This can
only be established with clearly established users’ rights to data—also in
secondary and following usages. This again is a condition for a
functioning 5G ecosystem.” (Khajuria & Skouby 2017, 153)
• “the core question of data protection should be not if there should be
property rights in personal data, but how to structure those property
rights in a way that is both economically sound and respectful of the
individual’s rights” (Purtova 2015, 111)
SOLUTIONS: ENHANCED
USER CONTROL?
THANK YOU FOR YOUR
ATTENTION
12