Many new applications and use cases in the 5G System require the storage and processing of user data along with the request for providing communication services. In such cases, user consent is required. In the present document user consent means a specific and clear opt-in of the user to indicate permission to the processing and collection of the user's personal data for a specific purpose.
Privacy is one aspect for which user consent is needed. Privacy aspect has already been studied in detail in TR 33.849
, which provides privacy principles that need to be followed in 3GPP when designing new systems, security architectures and protocols. Parts of TR 33.849
are related to user consent and can be taken into account in the present document.
In clause 6.5 of TR 33.849
, user consent is introduced as one of the threat mitigation approaches to mitigate the privacy risk, and gives a brief introduction on how explicit user consent can be collected.
In clause 5.3.4 of TR 33.849
, conditions which user consent is required for personal information disclosure is defined as: "Personal data disclosure with the purpose to accomplish a certain application/service needs to be under user's consent, unless the disclosure is performed in the legitimate interest of the data subject, e.g. providing a service."
In Annex B of TR 33.849
, some regulations related to privacy are introduced.
However, with evolution of 3GPP network, more and more 3GPP services are introduced. Some services can require personal identification information (PII), thus, the identification of target usage case for user consent is necessary.
For different use case, the PII is identified by different identities, e.g., some of them is identified by subscriber ID, i.e., SUPI, and some of them is identified by user IDs. Thus, it is necessary that the source of user consent is identified case by case.
However, as mentioned before, privacy is only one of the drivers for user consent. User consent can also be given or prohibited for non PII.
In summary, different use cases need different solutions for authorization based on user consent. Security issues of how user consent is exchanged among NFs in the network and how they are handled and respected by various features specified by 3GPP will be considered in the present document.