Lancer une analyse d'impact des effets de la 5G, incluant les objets et corps connectés, sur la protection des données personnelles et évaluer la conformité par rapport aux lois actuelles sur la protection des données.
5G, both as a mobile phone standard and as a communication protocol between the billions of connected objects, which are announced to begin surrounding us, will multiply data transfers, with higher volumes that will allow better definition (image, video and voice).
Article 35 of the GDPR provides for the possibility of Data Protection Impact Assessments (DPIA) at the level of an organisation collecting personal data. This specifically refers to the processing of personal data using new technologies that are likely to result in a high risk to the fundamental rights and freedoms of individuals.
We call for such assessment to be conducted regularly, every year, and for each EU member state as 5G is rolled out both as a mobile standard and as a communications protocol between the billions of connected objects that have been announced.
This requires amending Article 35 of the GDPR on the basis of Article 16 of the TFEU, so that this type of impact assessment can be initiated at the level of EU member states, at the request of a third party.
The European Economic and Social Committee (EESC) has published the Opinion called Secure 5G deployment– EU toolbox. Point 2.16 states:
"...as 5G networks will largely be based on software, the main security flaws, such as those resulting from equipment suppliers' poor software development processes, could make it easier for actors to intentionally insert deliberate backdoors in products and make them also more difficult to detect. This may increase the potential for their use to have a particularly severe and widespread negative impact. While the cybersecurity issues of 4G have not yet been fully resolved, 5G problems might grow exponentially."
In point 4.15 is stated:
"The EESC has suggested moving from data ownership concepts to a definition of data rights for individuals and legal persons. Consumers should be in control of the data produced by connected devices in a way that ensures consumer privacy along with accessibility, interoperability and data transfer, while ensuring adequate data protection and confidentiality, fair competition and a wider choice for consumers." This movement must be assessed first!
The Next Generation Internet initiative is designed to create an internet of humans that responds to our fundamental needs, including trust, security and inclusion. "The issue of trust has become central, following revelations about the exploitation of personal data, large-scale cybersecurity and data breaches, and growing awareness of online disinformation."
Prior to any use of personal data for processing, a natural person must give his or her consent by means of a clear, free, specific, informed and unambiguous declaration or positive act (Article 4 point 11 of the GDPR).
Currently, this consent is collected in a very partial way, by imposing its collection for each site consulted, which is very burdensome for the user as well as for the collecting structure without any guarantee of sustainable follow-up of the choices made. And the personal rights attached to it, guaranteed by the GDPR, also impose very heavy procedures for their implementation:
— Right to be informed on the use of our data
— Right of access: to know the data that an organization holds about us (art 15)
— Right of opposition: refusing the use of our data (art 21)
— Right of rectification: correcting our information (art 16 and 19)
— Dereferencing of content in a search engine (art 17)
— Right of deletion: delete our data online (art 17)
— Right to portability: obtain and re-use a copy of our data (art 20)
— Rights to human intervention in the face of our profiling or an automated decision (art 22)
— Right to limit processing: freeze the use of our data (art 19).
In the context of 5G and the use of connected objects and bodies, particularly in telemedicine, when using facial or voice recognition, etc., these proofs of consent will be even more difficult to collect.