The Contexts for Applying Data Privacy Laws to Emerging North American 5G Networks

5G Beyond Borders Header Image

A critical aspect of 5G will be the exponential amount of personal information that is carried on these networks. The United States, Mexico, and Canada all have ambitious plans to roll out 5G networks, which will be covered domestically by their current (Mexico, Canada) or future (United States) data privacy laws. Equally important, since these networks will carry vast amounts of personal digital information between and among the borders of these three North American countries, the recently-enacted US-Mexico-Canada Agreement (USMCA), which replaces the North America Free Trade Agreement (NAFTA), will be applicable to such cross-border 5G data transfers. NAFTA did not have any data privacy provisions, so the USMCA definitely is a step ahead in this important area.

Already, exploding global mobile data traffic is expected to grow five times by the end of 2024, according to telecommunications giant Ericsson. Current networks won’t be able to handle that load. As it is, carriers are running out of capacity in many major cities and users are already experiencing slowdowns during busy times of day. This creates the current market demand for 5G. Longer term, 5G will be applicable to autonomous vehicles, the Internet of Things, smart cities, and many other emerging digital applications.

According to equipment provider Qualcomm, 5G is designed to deliver peak data rates up to 20 Gbps. For example, 5G devices will download an 8k movie 500% faster than 4G LTE. In addition to higher peak data rates, 5G is designed to provide much more network capacity by expanding into new spectrum. 5G can also deliver much lower latency for a more immediate response and can provide an overall more uniform user experience so that the data rates stay consistently high—even when users are moving around.

Ronan Dunne, Executive Vice President and Group President of Verizon Wireless makes the case for 5G clearly. "5G has the potential to join a very exclusive club—the handful of technologies throughout history that transform industries across every sector of the economy … redefining work, elevating living standards, and having a profound and sustained impact on our global economic growth.”

The National Privacy Law Context

Mexico

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, LFPDPPP) was entered into force in July 2010, with enforcement regulations issued in December 2011. It provides that data owners have the right to request access, rectification, and deletion of their personal data, and to object to its processing. Mexican data protection legislation regulates the collection and processing of any personal information (PI) by any private entity acting as a controller or processor, which impacts any sector that is involved in any sort of personal data collection or processing.

The authority in charge of solving any controversies derived from the exercise of the above-mentioned rights at the federal level is the National Institute for Transparency, Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, INAI). At the local level, each state has its own similar institution.

The INAI is authorized to perform on-site visits to verify that the data controller's facilities comply with the LFPDPPP. It has the legal authority to conduct investigations; review and sanction data protection controllers; and authorize, oversee and revoke certifying entities. Separately, the Ministry of Economy is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in the Mexican territory. This includes issuing the relevant guidelines for the content and scope of Privacy Notices, in cooperation with the INAI. Both agencies also will play an important role in Mexico’s USMCA implementation.

ARCO rights--an acronym for access, rectification, cancellation or opposition rights--can be enforced by any data subject, in connection with the collecting or processing of its personal information. Companies collecting the data, known as Controllers, must make available, in physical or electronic format, a Privacy Notice prior to processing his/her personal data.  This Notice must inform the data subject about the terms for the collection of personal data; which personal information will be collected; the identity of the Controller; the purpose of the data collection; the possible transfers of data; and the mechanisms for the data subject to enforce its ARCO rights.

Personal data may only be processed legally for compliance with the purpose or purposes set forth in the Privacy Notice. The purpose(s) of the Privacy Notice must be conveyed in a clear, objective manner, not leaving any room for confusion. And Controllers can only collect personal data that are necessary, appropriate, and relevant for the purpose(s) of their collection.

Any data sent through or stored on a 5G network in Mexico will be covered under the Federal Law. This means that businesses located outside Mexico will be subject to the terms of the Privacy Notice whenever the Controller transfers personal data collected in Mexico, in accordance with the provisions of the Law, to the United States and/or Canada.

Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA), first enacted in 2000, is Canada’s federal data privacy law. As of October 2018, seven provinces have opted out of its coverage after a government finding that their respective data privacy laws are “substantially similar” to PIPEDA, and thus would be in force instead.

PIPEDA’s key principles include limitation on collection; choice; data quality; purpose specification; use limitation; security safeguards; transparency; individual participation; and accountability.

Any organizations that collect personal information in the course of commercial activity covered by PIPEDA generally must obtain an individual's consent when they collect, use, or disclose that individual's personal information. A commercial activity is any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership, or other fundraising lists.

These covered organizations include airports, aircraft and airlines; banks and authorized foreign banks; inter-provincial or international transportation companies; telecommunications companies; offshore drilling operations; and radio and television broadcasters. Not-for-profit and charity groups; political parties and associations; municipalities; universities; schools; and hospitals generally are covered by provincial laws instead of the PIPEDA.  Federal government agencies are not covered by the PIPEDA, however.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, it must obtain a separate consent. Personal information must be protected by appropriate safeguards.  Individuals have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to the PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation). This group would directly be affected by the USMCA’s data privacy provisions. In particular, Canada urges these businesses “to exchange information on the mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them.” It references the the APEC Cross- Border Privacy Rules system as a valid mechanism to facilitate cross-border information transfers while protecting personal information, but does not mandate these rules, since the USMCA is not bound by them.

The United States

As a growing number of states enact or consider consumer privacy protection measures, many in Congress are pushing for a comprehensive federal consumer privacy law. In 2019, both the Senate Committee on Commerce, Science, and Transportation and the House Energy and Commerce Committee’s Subcommittee on Consumer Protection and Commerce held hearings on protecting consumer privacy.

In the current 116th Congress, four consumer privacy bills and circulated discussion drafts of two additional proposals are in play:

  • H.R. 4978, the Online Privacy Act of 2019, introduced by Representatives Anna Eshoo and Zoe Lofgren on November 5, 2019;
  • The United States Consumer Data Privacy Act of 2019 (USCDPA Draft), a discussion draft circulated by Senator Roger Wicker on November 27, 2019;
  • S. 2968, the Consumer Online Privacy Rights Act, introduced by Senators Maria Cantwell, Brian Schatz, Amy Klobuchar, and Ed Markey on December 3, 2019;
  • An untitled December 18, 2019, discussion draft (E&C Draft) from the House Energy and Commerce Committee, spearheaded by Representatives Cathy McMorris-Rodgers and Jan Schakowsky;
  • S. 3300, the Data Protection Act of 2020, introduced by Senator Kirsten Gillibrand on February 13, 2020; and

S. 3456, the Consumer Data Privacy and Security Act of 2020, introduced by Senator Jerry Moran on March 12, 2020.

Five of the six proposals—H.R. 4978, S. 2968, S. 3456, and the two discussion drafts—take similar approaches. Although details vary somewhat from bill to bill, each regulates the use of personal information by (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements.

The five proposals differ, however, in three key respects: (1) which federal agency would have enforcement power; (2) whether to preempt state privacy laws; and (3) whether to provide a private right of action. The sixth bill, S. 3300, takes a different approach: it would create a new agency vested with the power to enforce existing federal privacy laws and authorize that agency to issue broadly applicable privacy regulations.

According to the Congressional Research Service, “each of these five proposals (H.R. 4978, S. 2968, S. 3456, and the two discussion drafts) would recognize a core set of individual rights with respect to covered information held by covered entities. The right of access would give individuals the right to view their covered data held by covered entities, a list of third parties to which that data had been transferred, and the purposes of any such transfers. The right of deletion would allow an individual to request that covered entities delete (or, under some bills, deidentify) any of that individual’s covered information, with some exceptions. The right of correction would give individuals the ability to correct—or require a covered entity to correct—inaccurate information. The right of portability would require covered entities to provide individuals, on request, with copies of their data free from any restrictions on use. And the right of information (also called the right of transparency or the right to know) would require a covered entity to provide individuals with copies of the entity’s privacy policy, as well as any updates to the privacy policy.”

Each of these proposals also “would create notice and consent requirements for how covered entities would use covered information. Under these requirements, a covered entity would have to notify an individual when it intends to collect or transfer information. The entity would then have to ask the individual for affirmative consent (opt in) or give the individual a chance to opt out of the collection or transfer. …[C]overed entities [also would be required] to limit how they collect and use covered information and to take certain steps to safeguard that information. The duty of minimization would limit a covered entity’s collection, processing, and transfer of covered information to no more than it reasonably needs to provide the product or service that an individual requested. Complementing that duty, covered entities would be required to safeguard covered information in their possession by implementing physical security and cybersecurity policies.”

With Presidential and Congressional elections ahead in November, and the urgency of COVID-19 legislative priorities at hand, it seems highly unlikely that there will be any federal data privacy legislation enacted in 2020. A new Congress, however, will be positioned to utilize some of the legislative thinking of the above bills and discussion drafts in an effort to achieve a bipartisan consensus that can be enacted as law. It remains to be seen whether and when this course will be pursued in 2021 or beyond.

The North American Cross-Border Privacy Context

The USMCA is intended to facilitate cross-border data transfers of the three countries covered by the Agreement. This will be especially important once Mexico, Canada, and the United States have substantial national 5G coverage, which is several years ahead. It is in force now for existing terrestrial and wireless network technologies, including fiber lines and mobile 4G LTE.

The USMCA’s data transfer provisions (1) prohibit unnecessary data transfer restrictions; (2) protect against discrimination that would favor domestic data transfers over cross-border transfers; (3) apply to all sectors including financial services; and (4) stipulate that any data transfer rules must not constitute disguised restrictions on trade, support arbitrary or unjustifiable discrimination, or impose transfer restrictions that are greater than are necessary.

Regarding data privacy, the USMCA is not designed to replace current or future domestic laws, but rather to provide a basis for all three countries to develop a workable data privacy protection regime for cross-border data flows.

The USMCA leaves the content and enforceability of such privacy protection up to each of them. It specifically recognizes that there are different legal approaches to protecting personal digital information, including comprehensive privacy, personal information, or personal data protection laws; sector-specific laws covering privacy; or laws that provide for the enforcement of voluntary private sector undertakings. All three countries currently are in compliance with this broad requirement.

Additionally, the United States, Mexico, and Canada agreed to promote compatibility and exchange information on their respective privacy protection mechanisms. The USMCA specifically identifies the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system as a valid, albeit not required, mechanism to facilitate cross-border information transfers while protecting personal information. The countries also may consider principles and guidelines of other relevant international bodies, such as the Organisation for Economic Co-operation and Development (OECD). In any event, the three countries agreed that compliance with data privacy protections and any restrictions on cross-border flows of personal information should be necessary and proportionate to the risks presented and should not discriminate against parties from the other USMCA countries.

In short, resolution of these issues under the USMCA will need to be closely followed to ensure that the intended level of cooperation in cross-border data transfers is reflected for digital privacy protection, as well. Such cooperation is expected to follow general principles that all three countries seem to agree on: limitations on the collection and use of digital data; security safeguards; transparency; individual participation; and accountability. 

Author

Digital Futures Project

Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build.   Read more

Digital Futures Project

Science and Technology Innovation Program

The Science and Technology Innovation Program (STIP) serves as the bridge between technologists, policymakers, industry, and global stakeholders.   Read more

Science and Technology Innovation Program