It was all over the news a few days ago that Google had reached the quantum supremacy in an experiment, where a quantum processor proved that the figures pumped out by a random number generator were indeed random. This task took 3 minutes 20 seconds (200 seconds) for the quantum processor and according to the estimations, the most powerful classical computer would need approx. 10,000 years for completing the same task.
Of course, there is a lot of uncertainty around this news (actually, it's more a leak than an actual announcement), but at the same time it shows the advent of a very exciting era in computing. (The original study "Quantum Supremacy Using a Programmable Superconducting Processor" was available at NASA's website for a short period of time.)
Besides the fact that quantum computing, by its incredible computing capabilities, may open a new era for development of pharmaceuticals, artificial-intelligence applications, etc., it raises a number of questions, some of which are very important also for data protection.
What is quantum supremacy and how it is related to data protection?
Quantum supremacy is the potential ability of quantum computing devices to solve problems that classical computers practically cannot (or it would take them extremely long period of time, like 10,000 years).
Why is it important from a data protection point of view? The connection is quite obvious if we take, the integrity and confidentiality principle of the General Data Protection Regulation (GDPR) that requires data controllers and processors to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Technological developments, including the developments in quantum computing, may pose new challenges for data controllers, as they should take into account emerging new technologies that may jeopardize the long-term applicability of solutions applied by them to ensure an adequate level of data protection in line with the state of the art. This may be especially relevant in case of data processing activities planned for the long term since data controllers shall react to challanges in a timely manner.
What can be particularly challenging about quantum computing in data processing?
Data controllers (and data processors) shall take into account the state of the art when they decide of security measures, design data processing activities and assess the risks associated with data management. This consideration plays an eminent role, among others, in assessing
- whether a natural person remains identifiable or not;
- how to apply the requirements of privacy by design and by default; and
- how to set the adequate data security standards.
According to the Preamble (26) of hte GDPR, "the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable." However, technological developments may change the threshold for identification (i.e. it can make data considered anonymous to be connected to a certain person again).
Data protection by design requires data controllers, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects, by taking into account
- the state of the art,
- the cost of implementation and
- the nature, scope, context and purposes of processing as well as
- the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
The above means that the state of the art shall be taken into account by data controllers in designing the technical and organisational measures and data controllers shall be able to apply adequate measures both at the time of the determination of the means for processing and at the time of the processing itself. This may also mean that technological developments and the potentional effects of the same to the planned processing shall be evaluated in the course of conducting data protection impact assessments.
Shall data controllers have fear from the quantum future?
No, as the alleged achievement of quantum supremacy is a great scientific success, however, we are still far from the everyday and widespread application of the technology. At the same time, the potential of quantum computing points to the fact that data controllers (and processors) shall always be in a standby mode to be able to make the necessary steps to act upon new developments (including quantum computing) that may have effects on their processing activities, especially where the processing requires a long retention of personal data (e.g. in case of health records or documentation necessary for pension calculation).