This post is also available in: Español

As we explained in a previous blog entry, the fifth generation (5G) network presents genuinely disruptive advances with respect to the previous mobile connection generation. Since it started to be deployed in Europe in early 2019, an increase in connection speed and a reduction in communication latency (i.e., website response time) has been observed, which translates into an exponential multiplication of the number of connected devices. The impact of 5G connection goes far beyond smart phones, as it directly affects the development of the internet of things (IoT), insofar as it facilitates the connection of our daily objects (alarms, appliances, cars, to name but a few) and the introduction of the self-driving car, as it reduces the delay between the devices and the servers with which the car communicates to practically zero, allowing immediate communication between the car, other traffic, and data centers and sensors.

In this context, the Spanish Data Protection Agency (“AEPD”) has published a Technical Note analyzing the risks that 5G can entail for personal data protection and offering a series of recommendations to mitigate them.

The AEPD’s technical note is aimed at all those interested in the implications for privacy that the implementation of this technology may have, as well as manufacturers, suppliers, service operators, telecommunication companies, and application developers basing their business model on 5G. It describes the main characteristics of this technology (virtualization, edge computing, location, and modification of security strategies) to address the challenges it poses for data protection.

Some risks

The risks detected by the AEPD notably include the following:

  • More accurate geo-location of users, since 5G technology uses many more base stations with less distance between them.
  • Greater accuracy in creating user profiles and, consequently, increase in automated decision-making with artificial intelligence and streaming services (in real time). 
  • Increased difficulties for determining the liability of the agents participating in data processing, for three main reasons: (i) less precision of the roles of manufacturers, network operators, and service providers due to different privacy objectives and interests; (ii) absence of a uniform security model; and (iii) increased exposure to cyber-attacks and vulnerabilities of virtual environments.
  • Possible loss of user control over their personal data.

The relevance of these risks and those indicated in the Technical Note takes on greater importance, if possible, taking into account that 5G promises to establish itself as the great data communication channel for both public and private networks, such that all citizens will be users and their devices will be connected to the 5G network.


To minimize those risks, the AEPD includes a list of ten recommendations, such as providing clear and understandable information to all users of the new 5G-based applications, guaranteeing fully encrypted communications, or establishing sufficient guarantees to perform international data transfers.

Finally, taking into account the fact that 5G technology adds unparallel risks to those already present for a few years, the AEPD addresses the need to adapt the regulations (in particular, the legislation on electronic communications and public communications networks) to take advantage of the benefits of this technology and, at the same time, guarantee that telecommunications operators process users’ traffic data lawfully.

By: Sergi Gálvez and Ana Sánchez

This post is also available in: Español



42 artículos

Asociado del Área de Propiedad Intelectual y Protección de Datos. Especialista en protección de datos y tecnologías disruptivas. Participa en el asesoramiento recurrente en materia de protección de datos y contratación tecnológica de compañías nacionales e internacionales, especialmente en la configuración jurídica de evaluaciones de impacto, transferencias internacionales de datos personales, contratos de encargo de tratamiento y en el asesoramiento durante violaciones de seguridad. Además de prestar asesoramiento continuado a clientes en los ámbitos mencionados, tiene experiencia en asesorar a empresas de diferentes sectores en la configuración legal de proyectos que implementan tecnologías disruptivas, tales como el Big Data, Internet of Things, artificial intelligence y smart robots.



45 artículos