Skip to main content
Logo - Deutschland spricht über 5G
Data protection and data security

5G and personal privacy: rules to protect your data

The security of our data is an important issue. Time and again, the debate is heated up by data leaks and hacker attacks. Citizens are wondering, quite rightly, how data protection, privacy and data security can possibly be guaranteed once their data is being moved around even more quickly thanks to the new 5G mobile telecommunications standard.

Data protection: everyone is entitled to determine what happens with their data 

The Basic Law, the German constitution, establishes the right of each individual to free development of their personality (the so-called general right of personality). This includes the right to informational self-determination, according to which every individual has the fundamental right to determine the exposure and use of their personal data. This covers all data associated with a specific person, such as age, email address, religious persuasion or income and financial circumstances. As such, the right to informational self-determination guarantees privacy protection for each individual – and naturally this remains true in the time of the new 5G mobile telecommunications standard. 

Likewise, the EU Charter of Fundamental Rights guarantees each individual the right to respect for their private and family life, home and communications, and the right to the protection of personal data concerning them. This is set out in concrete terms in the European General Data Protection Regulation (GDPR) and the European ePrivacy Directive, which impacts data protection provisions in the field of telecommunications. 

The GDPR, the ePrivacy Directive and the Telecommunications Act 

The introduction of 5G does not affect the legal provisions relating to data protection or on the protection of privacy. 

The GDPR is the European data protection statute book and it is directly applicable in all member states. It replaces previous national data protection provisions – for example those contained in the Federal Data Protection Act. Alongside this, the ePrivacy Directive (directive on data protection and the protection of privacy in the electronic communications sector) and the protection of telecommunications data also apply. These special laws partly override the GDPR. 

The GDPR guarantees that affected parties can monitor how their personal data are handled, which is important in ensuring a secure future with 5G. For example, in the future, full-coverage 5G networks will make it possible to record a user’s location and movement profile with considerably greater precision. These are sensitive personal data and, as such, are protected generally by the GDPR and more particularly and specifically by the ePrivacy Directive and the Telecommunications Act. 

It is true that the GDPR envisages some powers for personal data to be processed without the affected party’s permission. This does not, however, apply to traffic data or location data. Here, the significantly stricter rules of the ePrivacy Directive apply, as given effect in the Telecommunications Act. 

To put it briefly, for all practical purposes, location data may not be processed without the user’s permission. 

Such permission must be based on the guidelines set out in the GDPR. It will only be effective if users voluntarily and actively indicate in each specific instance that they agree to their data being processed. This also implies that the users must previously be informed in accordance with the requirements of the GDPR. 

In general, information may only be stored on devices or read from them if users agree to this in accordance with the GDPR. This applies equally whether it is personal data or any other form of information and covers any device that is connected to a public communications network. 

Data security: 5G networks are subject to strict criteria 

In addition to the protection of personal data, data security – that is to say, the technical protection of data – is of paramount importance in the development of 5G networks. 

In Germany, the development of 5G networks is subject to considerably stricter security criteria than 3G and 4G were. The Federal Network Agency (BNetzA) has upgraded the catalogue of security requirements in collaboration with the Federal Office for Information Security (BSI) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). As published in August 2020 the catalogue lays down the following requirements: 

  • Critical components must be certified. 
  • Manufacturers and suppliers must present declarations of trustworthiness. 
  • Product integrity must be ensured.
  • Security monitoring must be implemented. 
  • Personnel in security-relevant areas are subject to special requirements. 
  • Sufficient redundancies – technical reserves to cover any breakdowns or outages – must be assured. 
  • Monocultures must be avoided – in other words, both the core network and the radio access network (RAN) must contain components from at least two different manufacturers. 

The process of guaranteeing security is also covered by international agreements: mobile operators, manufacturers and authorities remain in regular contact as regards the standardisation of mobile communications. This includes participation in a body known as 3GPP (3rd Generation Partnership Project). 

Who keeps watch over data protection and data security in Germany 

In general terms, the supervisory authority for the telecommunications sector is the Federal Network Agency. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible as an independent authority for monitoring compliance with the data protection provisions in respect of telecommunications and postal services. These include the requirements imposed by the GDPR in respect of technical and organisational measures in order to ensure the security of personal data. The German Bundestag selects the Federal Commissioner for a five-year term. Citizens can contact the Commissioner with any questions or complaints they may have. Moreover, the independent supervisory data protection authorities in the individual German states are responsible for supervising compliance with the data protection provisions.