A Qubit Revolution: Potential implications of quantum computing on the GDPR
The Fourth Industrial Revolution is upon us, providing countless opportunities, avenues and insights within the intersection of law and technology. New legal issues arise from emerging technologies, and the legal implications of such technologies must be taken into consideration as we progress into our digital future. This article will outline the legal implications that quantum computing, an information processing phenomenon that uses "supercomputers”, will pose to the EU General Data Protection Regulation.
What is Quantum Computing?
Quantum computing is a form of classic information processing based on quantum physics.[1] According to existing theory, quantum computers will take over large processing operations typically performed by classical computers, like encryption and data analysis.[2] Through the use of non-classical heavy computations and algorithms beyond the capabilities of today’s supercomputers, quantum computing solves extremely complex, statistical problems.[3]
The “quantum phenomena” known as superposition[4] explains why quantum computing is far superior to its classical counterpart. Where a conventional computer is based on either 0 or 1 bits, a quantum computer can be both 0 and 1 simultaneously. What does this mean? When a quantum computer uses multiple bits, or “qubits”, they process multiple calculations at the same time, leading them to be exponentially quicker than a classic computer. Essentially, a problem that would take a classical computer infinity to process can to be solved by a quantum computer in mere minutes. Beyond scientific and numerical capabilities, such computational power will impact a vast number of sectors today, like transportation, AI, supply chain optimisation, blockchain and so on.[5][6]
The Cybersecurity Problem
According to the 2020 Mckinsey Quantum Report, Quantum computing poses a serious threat to the cybersecurity systems across industries.[7] Today’s computers make it nearly impossible to decode encryption, so much so that the majority of cybersecurity attacks are due to improper cybersecurity resources rather than particularly prolific malware.[8],[9] All the data in our digitised world is protected through algorithms, which operate through classical computing. Yet, quantum computers could render modern decryption useless. The incredible speed at which they function allows them to breach every encryption system we have today. The quantum algorithm called “Shor’s algorithm”[10] gives quantum computers this aptitude. As we anticipate a quantum future, this decryption ability will pose a significant obstacle for information security, implicating both organisations and individuals.
Article 5(1)(f) & Quantum
Article 5(1)(f) of the GDPR states that personal data must be: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”[11] Consider the possibility of a quantum today. If an organisation uses individual data protected under encrypted networks (that aren’t quantum algorithms), it will be placing that information at serious risk. The organisation will fall short of its requirement to take appropriate security measures to protect personal data against “unauthorised processing”, thus facing significant fines. Furthermore, the gigantic risk of personal data loss incurred in a quantum-driven world would require much stronger adherence to Article 5, and much harsher consequences if breached.
Another quantum legal challenge lies with automated decision making. Although the GDPR protects data subjects against automated decision making (such as profiling), it will become a tricky issue to measure the compliance of supercomputers, as scientists predict that the processing power of quantum computers will increase the frequency of automated decision making. Thus, the requirements for “right to explanation” in Article 22 will need to be emphasized by legislators and organisations alike.[12]
Quantum computing’s processing capabilities will also impact individual data privacy.[13] Article 5(1)(a) states that personal data must be: “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).”[14] Essentially, personal data must be processed in a manner that is lawful, compliant and transparent. This due diligence principle is the bedrock of the GDPR and forms the foundation for the remaining data protection requirements. These guidelines also outline the role of a data controller, whose duty of transparency will be significantly affected by the data processing possibilities of quantum computers. These three ramifications of quantum on the GDPR will call for a revision of its provisions, and subsequent consequences in lieu of adherence.
Conclusion
Quantum computers today are not ready to overtake classical computers just yet, as their full capacities still have a way to go in reality. Notwithstanding, quantum computing is being applied in a number of applications, as well as supercomputing operations at tech giants like Google, Microsoft and IBM.[15] Quantum computing is no longer the stuff of physics theory: it is real, and therefore, significant enough to warrant legal considerations. What regulatory measures will be taken to protect personal information from quantum computers, which can collect, store and possibly monetize our data? Existing regulation, as outlined above, does not account for quantum capabilities, nor the unfathomable level of personal data that a quantum computer can process. The risk of hacking into current encrypted networks will mean that existing personal data protections may become insufficient, creating new challenges for the GDPR. A "quantum future" is upon us: will data protection law be ready for its impact?
Mayowa Oluwasanmi is an incoming law student with a certificate in Computer Science. She is passionate about data protection, cybersecurity and an advocate for tech4good.
[1]"Quantum computing is coming to your business | IBM." Accessed December 6, 2020. https://www.ibm.com/thought-leadership/institute-business-value/report/quantumstrategy.
[2] "Quantum Computing: Theoretical versus Practical Possibility." Accessed December 6, 2020. https://arxiv.org/pdf/1110.3190.
[3]"Quantum Computing: Theoretical versus Practical Possibility." Accessed December 6, 2020. https://arxiv.org/pdf/1110.3190.
[4]"Quantum computing is coming to your business | IBM." Accessed December 6, 2020. https://www.ibm.com/thought-leadership/institute-business-value/report/quantumstrategy.
[5]"Building your quantum capability - IBM." Accessed December 6, 2020. https://www.ibm.com/downloads/cas/2QPLMXOD.
[6]"Quantum Computing & Enterprise | The Dalhousie Business ...." Accessed December 6, 2020. https://dalbusinessreview.com/quantum-computing-enterprise/.
[7]"A game plan for quantum computing | McKinsey." Accessed December 6, 2020. https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/a-game-plan-for-quantum-computing.
[8]"7 ways quantum computing can help businesses - Pluralsight." Accessed December 6, 2020. https://www.pluralsight.com/resource-center/guides/quantum-computing-helping-business.
[9]"Quantum Computing & Enterprise | The Dalhousie Business ...." Accessed December 6, 2020. https://dalbusinessreview.com/quantum-computing-enterprise/.
[10]"Shor's algorithm - Docs and Resources - IBM Quantum ...." Accessed December 6, 2020. https://quantum-computing.ibm.com/docs/iqx/guide/shors-algorithm.
[11]Data Protection Act 2018, Available at https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Accessed 6 Dec. 2020.
[12] Data Protection Act 2018. Available at https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Accessed 6 Dec. 2020.
[13]"Can quantum cryptography bring a new era for privacy? - IAPP." Accessed December 6, 2020. https://iapp.org/news/a/can-quantum-cryptography-bring-a-new-era-for-privacy/.
[14] Data Protection Act 2018. Available at https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. Accessed 6 Dec. 2020.
[15]"Inside big tech's high-stakes race for quantum supremacy ...." Accessed December 6, 2020. https://www.wired.co.uk/article/quantum-supremacy-google-microsoft-ibm.