The ICO exists to empower you through information.

Introduction

Quantum computing, one of several quantum technologies, has generated a lot of attention and investment in recent years. It is a technically very complex, but potentially revolutionary technology. Quantum computers make use of particle behaviour at an atomic level to run computations. A fully functional future quantum computer could, in theory, solve certain problems exponentially faster than the computers we use today. If the existing technical and engineering hurdles can be resolved, quantum computers could unlock significant advances across a range of industries. For example, medicine, finance, physics, materials science and artificial intelligence.21

Quantum computing has well-documented impacts on existing encryption methods and future information security. We are interested in the ongoing efforts to address the risks to personal information that quantum computing may present. As research into potential real-world use cases accelerates, it is also important to consider if and how these new computers may process personal information in future.

About quantum computers

In simplified terms, classical computers (the computers we use today) process information represented as sequences of 1s and 0s (called digital ‘bits’). Quantum computers are built very differently. Rather than relying on simple 1s and 0s, they use quantum bits called ‘qubits’. Qubits can represent two states at the same time, meaning they can be in both a position of 0 and 1. Qubits can be linked in a way that enables them to represent even more states at the same time. The phenomena responsible for this are known as superposition and entanglement. Due to these properties, as you add qubits, the processing power of a quantum computer grows at an exponential rate. They also solve problems in a different way to classical computers. This means future quantum computers may be able to solve some problems much faster than classical computers, including some that classical computers currently effectively cannot.22 These could include the following:

  • Factorising very large numbers, which has implications for long term information security, as factorising underlies many existing encryption algorithms that protect digital information and communications.
  • Modelling highly complex systems, which offers possibilities for advances in areas like drugs discovery or physics research.
  • Solving problems with lots of different variables, which may be used to improve fraud detection or optimise financial portfolios.
  • Increasing search speed within large and complex datasets.
  • Accelerating machine learning for certain applications, such as personalised medicine or autonomous vehicles.

Because they work very differently from classical computers, quantum computers can be used for specific, but not all, computational problems. Organisations are therefore more likely to use them alongside existing computers, rather than to replace them.

State of development

Potential timelines for the development of quantum computers and specific use cases remain highly uncertain. Any advances generate a lot of media attention, such as breakthroughs in the number of qubits a computer has, or improvements in error correction. But these hide the technology’s very early developmental stage. Prototype versions of quantum computers are available via the cloud for research purposes and industry testing. We are also seeing early tests of hybrid uses, where quantum computers are used for specific functions to support classical computing. However, any large-scale uses are still very far off.23

It is unclear exactly how far off the “quantum advantage era” is. This would mean that larger quantum computers (10,000+ qubits), would be able to reliably outperform classical computers on real tasks. There are still significant technical and engineering challenges to further development. Some projections suggest we may reach it within five to 10 years,24 while some commentators question whether we will ever be able to gain quantum advantage for certain applications.25 If the challenges can be overcome, the era of “universal fault tolerant computers”, that is, fully functional computers with widespread quantum applications could develop within 10 to 20 years, or longer.26

But, many countries, including the UK, see developing their own capabilities as critical for their long term national strategic, scientific and technological competitiveness.27 Globally, there has been more than USD$35.5 billion of public and private investment in quantum technologies, including quantum computing.28 It is therefore important to think proactively about the privacy implications of the technology.

Fictional future scenario

Rhian, Head of Cyber Security at a health research facility, is called before the management board. The board are deeply concerned by newspaper reports that suggest a massive improvement in the capabilities of quantum computing. They are especially worried about an “imminent existential threat” to information security. Rhian notes that the NCSC have not confirmed the reports. However, the Board insist she contact the ICO and review other industry-recognised guidance to understand what they should consider, before going ahead with one of the many new “quantum secure” services. They want to understand how to implement protections as quickly as they can.

Rhian recalls a management board meeting five years previously, where she had sought funding to prepare for the transition to postquantum cryptography. She had struggled to engage the Board, who were not keen to invest their limited budget in addressing a cyber security risk that might never materialise.The organisation knows they hold high-value and sensitive personal information, including large health datasets for research purposes.

At this Board meeting, Rhian stresses that some of the company’s datasets are fortunately already protected. Their cloud provider has automatically upgraded to a standardised postquantum cryptography option. Some information is protected by encryption that is not at significant risk from a quantum computer. However, as she previously flagged, a full transition could take years. Rushing the transition is just as risky as doing nothing at all. She’ll need time to work with the data protection officer (DPO) and wider organisation to identify all places where personal information, systems or hardware may be at risk, and take phased action to address the risks. She also doesn’t have the resources to find out whether all third-party processors the company works with have transitioned to postquantum cryptography. Rhian also highlights recent reports of organisations who implemented non-standardised solutions in a hurry, unwittingly putting customer information, and the organisation’s wider cyber security, at risk. She sits down with a sigh. Will the Board listen this time and approve the resources she needs? 

Data protection and privacy implications

  • Threats to encryption: without appropriate mitigation in place, quantum computing has the potential to undermine specific types of encryption that protect most of today’s digital communications and information in transit. This ranges from the financial system to biometric information to digital signatures (used to digitally prove identity). Some commentators also raise the risk of “harvest now, decrypt later” activities. This is where malicious actors may already be collecting high value information as it is sent today, in order to decrypt it once they gain access to a sufficiently powerful quantum computer.29
  • It is highly uncertain when such a quantum computer may materialise, with estimates ranging from five to 30 years.30 It is also uncertain exactly what information may be most at risk from a quantum computer. However, very high value information that will remain relevant for a long time is considered more at risk than others.31 From a data protection perspective, this could include sensitive personal information (including special category information) that needs to be protected for an extended or indefinite period of time (10+ years). For example, health and genetic information or financial information processed by regulated industries.
  • Postquantum cryptography: there is already a significant amount of ongoing work about different technical measures to address the possible security risks. For example, in the field of postquantum cryptography. Multiple agencies have produced relevant guidance, including the UK’s National Cyber Security Centre (NCSC).

Under the DPA 2018 and UK GDPR, organisations have an obligation to:

  • ensure the confidentiality, security and integrity of the personal information they process; and
  • take appropriate technical and organisational measures to protect this information, considering the state of the art.

The complexity of IT systems and cryptographic infrastructure differs between organisations. For some, the transition to postquantum cryptography may be as simple as an automatic software update.32 For others, the transition to postquantum cryptography is likely to be lengthy, complex and expensive.33 Because of this, and the uncertainty of timelines surrounding quantum development, it is important for organisations to start considering their risk exposure in the immediate and near future. Our encryption guidance emphasises that organisations should be crypto-agile. This means that they keep their encryption use under regular review and ensure they remain aware of updates and vulnerabilities.

The NCSC recommends that organisations should not rush to transition to postquantum cryptography before final standards-compliant products are available. However, they should be ready to do so, once they are. We support the NCSC’s recommendation that large organisations who manage their own cryptographic infrastructure start planning their future transition now, such as by identifying at-risk datasets and systems that rely on public key cryptography.

  • Processing personal information: There is still a high degree of uncertainty about potential use cases for quantum computers. They are not “all purpose” computers and many early anticipated use cases are unlikely to involve processing personal information. Therefore, they would not fall within scope of data protection legislation. For example, using a quantum computer to solve a materials science or physics research problem. However, where an emerging use case does involve processing personal information, organisations must comply with their data protection obligations. Some potential use cases being explored, that could involve processing personal information, include:
  • near real-time fraud detection;
  • customer targeting and prediction;
  • natural language processing; and
  • genomic data analysis.

In some cases, training datasets may be anonymised or pseudonymised. This, and how insights are applied to people, will also change an organisation’s data protection obligations.

  • International transfers: Quantum computers are expensive and technically complex. Therefore, in the short term, accessing them is likely to involve at least some access to overseas quantum computing capacity, as the UK continues to scale its domestic infrastructure.34 Much like current cloud services and other third party information processing operations, if organisations transfer personal information, they will need to meet international transfer requirements.
  • Transparency, accuracy, storage and retention: Qubits do not last very long because their state ‘collapses’ when observed or measured. They cannot be copied and are currently fragile and prone to inaccuracies. It is not yet clear whether qubit properties could make it harder to fulfil certain data protection obligations, if organisations start to use quantum computers or quantum or hybrid data centres for processing personal information in the future.

We want to consider if, and to what extent, it may be more difficult to respond to requests for personal information (SARs), retain or correct personal information, or account for inaccuracies in computing outputs. As noted in our earlier work on quantum as part of the DRCF, we are also interested in the potential implications for future explainability in quantum machine learning. It is early days, and many relevant use cases may only develop over the long term. However, as testing of academic and real-world use cases accelerate (including classical-quantum hybrid applications), we plan to explore these questions further in our foresight report on wider quantum technologies, which we will publish in 2024.

Recommendations and next steps

  • We will consider our policy and regulatory positions further in our foresight report on the broader space of quantum technologies, which we are due to publish in 2024.
  • We are committed to supporting organisations to understand current and future cyber risks so that they can appropriately protect personal information. This includes the risk arising from developments in quantum computing.
  • We will continue to engage with all relevant stakeholders on the transition to postquantum cryptography. We will also engage with our DRCF counterparts to ensure our regulatory approaches are aligned.
  • Quantum computing is at a very early stage of development, but existing regulation continues to apply. We are committed to supporting innovators testing quantum computing use cases to identify whether they may be processing personal information and embed privacy by design as early as possible. At this early stage, and as the UK’s ecosystem continues to develop, we are exploring further opportunities to learn and share our insights with innovators, the UK’s quantum hubs, the Regulatory Horizons Council, academia, and other regulators.


21 DRCF Quantum Technologies Insights Paper
22 DRCF Quantum Technologies Insights Paper; National Quantum Computing Centre (NQCC) overview of quantum computing
23 Quantum Advantage Conference Panel; DRCF Quantum Symposium Panel.
24 DRCF Quantum Symposium Panel.
25 See, eg, Nature article on “The AI–quantum computing mash-up: will it revolutionize science?” (2024); Communications of the ACM article on “Disentangling Hype from Practicality: On Realistically Achieving Quantum Advantage” (2023)
26 DRCF Quantum Symposium Panel.
27
National quantum strategy - GOV.UK (www.gov.uk)
28 World Economic Forum insight report on State of Quantum Computing: Building a Quantum Economy (2022)
30 Inside Quantum Technology News article on the ”Quantum Cryptographic Threat Timeline”
31 National Cyber Security Centre (NCSC) whitepaper on next steps in preparing for post-quantum cryptography (2023)
32 NCSC whitepaper on next steps in preparing for post-quantum cryptography (2023)
33 World Economic Forum whitepaper on transitioning to a Quantum Security Economy (2022)
34
techUK report on Quantum commercialisation: Positioning the UK for success (2022)