In December 2024, a global technology vendor unveiled its new quantum computer, powered by a chip, which needs less than five minutes to perform a calculation that would take current supercomputers more than 10 septillion years to complete, a length of time that exceeds the age of the known universe.

This revolutionary technology is still experimental, but its practical use is now largely a matter of when, not if, and it will have powerful privacy and cybersecurity impacts, for both good and ill, which companies need to start considering with urgency. Most pressing, companies should start considering whether to implement quantum-resistant encryption algorithms to protect data from a technology that renders all current encryption algorithms obsolete. Companies also should start to consider the privacy impacts that quantum computing - especially coupled with artificial intelligence (AI) - will have.

This includes the use of magnetic quantum sensors for brain scanning and other sophisticated quantum imaging technologies enhancing medical diagnostics and advancing developments in life sciences.

The financial services sector could leverage quantum machine learning to refine credit scoring and fraud detection or to personalize financial products.

Quantum sensors and quantum timing technologies could be used to advance urban and environmental resource planning and climate change planning for ESG efficiency, as well as in maritime and land-based navigation and defense. Quantum communication has the potential to revolutionize data security, making it resistant to cyber-hacking.

The quantum solution to the quantum threat

Quantum computers have the potential to solve certain problems exponentially faster than the computers we use today. This includes some problems that current computers effectively cannot solve. Potential applications cover a range of industries including physics, finance, materials science, and medicine; but it also can be used to crack current encryption with breathtaking ease.

How does it work?

Quantum computers make use of particle behavior at an atomic or subatomic level to run computations. Classical computers (the computers we use today) process information represented as sequences of 1s and 0s (called digital 'bits'). In contrast, quantum computers use quantum bits called 'qubits.' Qubits can represent two states at the same time. This means they can be in both a position of 0 and 1 or, importantly, somewhere in between. Qubits can be linked in a way that enables them to represent even more states at the same time. The phenomena responsible for this are known as superposition and entanglement. Due to these properties, the processing power of a quantum computer grows at an exponential rate for each extra qubit.

What are the kind of sample use cases quantum can be used for?

Accelerating machine learning or improving data analysis for applications such as:

• genomics and biometrics;
• natural language processing;
• analyzing and predicting customer behavior for product targeting;
• improving fraud detection in real-time transaction information;
• classifying images, such as medical scans for diagnostics; and
• increasing search speed within complex datasets or speeding up the systems used to recommend products and content on online shopping or media platforms.

How could this assist privacy?

Researchers are also exploring different ways that quantum technologies could be used as, or combined with, classical privacy enhancing technologies (PETs) in the future - i.e., leveraging ways in which quantum computing can obfuscate or protect the underlying raw data to seek to preserve private information and personal data within the source data sets. There is research into:

• hybrid quantum computing to improve the computational efficiency of certain PETs;
• federated quantum machine learning, which would allow a group of organizations to process sensitive information (such as special category data) individually using a quantum computer and share insights (but not the raw information) with a combined classical model to improve it; and
• blind quantum computing, which offers a person or organization accessing a quantum computer from the cloud a different way to completely hide the problem they are solving, the calculation, and the answer from the quantum computing server (and the organization that provides the quantum computing service).

Quantum communications offer a new method for securely sharing cryptographic keys. They use the physical properties of light in a quantum state, rather than the math problems used in current encryption. Other techniques could enable early quantum computers to link together and share information in a quantum state. This could increase their processing power and help to secure information. They could contribute to a future network of quantum computers, or a 'quantum internet,' running parallel to the existing internet.

Quantum communications refer to ways of transmitting information securely using quantum mechanics. The main technique is known as quantum key distribution (QKD), a way of securely sharing encryption keys.

QKD uses the physical properties of light in a quantum state, rather than using math problems for security (as in classical encryption). Essentially, sharing the key is secured using the laws of nature. Some suggest that in the future, QKD could be used together with post-quantum cryptography. This would help protect highly sensitive information transfers against a future quantum computer capable of solving the mathematical problems used in certain types of encryption.

It could secure a range of devices, systems, and personal information processing, from securing mobile two-factor authentication for online banking to smart buildings and wider digital communications. However, QKD is not currently endorsed by the UK National Cyber Security Centre (NCSC) for future post-quantum security.

One of the likely applications of quantum technology is therefore to improve the cybersecurity of communications. The cryptography currently in use to protect the cybersecurity of data and electronic communications will, in due course, be inadequate against quantum computing.

In contrast, although powerful quantum computers able to crack the current cryptographic protections have not yet emerged, this risk is already present through 'steal now, decrypt later' cyber attacks¹.

Quantum computing is, in some ways, not dissimilar to the 'Cetec Astronomy' box invented in the star-studded film, 'Sneakers' starring Robert Redford, Sidney Poitier, James Earl Jones, Ben Kingsley, and Dan Ackroyd (amongst others) - which all centered around a new form of technology (which was hidden in a box) which contained an algorithm called, 'Too Many Secrets' (an anagram of 'Cetec Astronomy'..) which was able to decrypt all known cryptography at that time (allowing its holder to access the national grid and national air-traffic-control) - exciting fiction but scary in reality.

Perhaps the most important aspect of effective cybersecurity is the ability to adapt to new threats. Attack methods and vectors constantly change. Therefore, an organization's ability to change and adapt to each current threat and risk is crucial to achieve resilience.

Philip James, Partner, Global Privacy & Cybersecurity Group, Eversheds Sutherland

A sufficiently powerful quantum computer could be used to solve the mathematical problems used in asymmetric cryptography. This type of cryptography is currently used throughout IT systems and internet infrastructure. Organizations would not be able to rely on this cryptography to protect the future security, integrity, and confidentiality of information anymore.

Asymmetric cryptography helps protect almost all internet communications, including a wide range of personal information transfers. For example:

• Secure messages, such as emails and encrypted phone messaging services. Browsing information or information submitted on secure websites (i.e., websites protected by HTTPS). For example, when a person accesses government services online, such as benefits applications, e-voting, or passport controls.
• Information that an organization or person sends to, or accesses from, the cloud. For example, large amounts of information processed for machine learning and data mining, or health information sent between a network of healthcare providers.
• Information sent when using a virtual private network (VPN). For example, when employees are working from home.
• Encrypted information sent by the Internet of Things (IoT) devices. For example, sensor information, video, or voice information processed by smart buildings or in smart homes. Encrypted information sent by autonomous vehicles, mobile phone apps (e.g., mobile phone ticketing), or ATMs.
• Financial transactions, online transactions, and digital identity schemes. In some cases, information held on some blockchains and digital currencies.

Attempts to develop techniques able to withstand the potential threats are already ongoing. The main one is quantum-resistant cryptography, otherwise known as post-quantum cryptography (PQC) - these are cryptographic algorithms applied to ensure data, communications, and our digital infrastructure remain safe when quantum computers become prevalent. PQC is already being implemented by some organizations in various sectors such as the government, cloud computing, and automotive.

The US Government has set objectives for a public sector transition to quantum secure systems by 2035 and the European Commission has also called for Member States to develop a roadmap to address the risks and benefits of quantum computing. The previous UK Government set out five quantum missions for 2035 and outlined a goal of achieving a 'quantum enabled-economy' by 2033. With such goals, the UK seeks to capitalize on the anticipated benefits and avoid being left behind in the 'race' for global science and technology advantage. ICO also states it has contributed to this conversation with the Digital Regulation Cooperation Forum (DRCF) and its most recent Tech horizons report, and wider engagement with bodies such as the Regulatory Horizons Council (RHC) and the Department for Science, Innovation and Technology (DSIT) Office for Quantum.

In August 2024, the UK NCSC published guidance on PQC aimed to help organizations to plan for the migration to PQC. the US, the National Institute of Standards and Technology (NIST) has begun standardizing the algorithms designed to withstand attack by quantum computers and in August 2024, released its first post-quantum encryption standards. This is the final step before these tools are made available for organizations to integrate them into their encryption infrastructure. NIST is also developing automated tools to help organizations identify and locate cryptography that are 'at risk' in their systems².

ICO's ongoing strategy and engagement

To help work towards a quantum-enabled future, the UK ICO has said it will:

• continue to work with the NCSC to raise awareness of cybersecurity risks arising from quantum computing, updating its guidance on encryption in line with the transition to post-quantum cryptography;

• continue to engage with, learn from, and share its perspective with industry, the National Quantum Computing Centre, the UK's Quantum Hubs, the Office for Quantum, and other regulators on developments in wider quantum technologies; and
• consider sandbox applications for any quantum technology use cases likely to come to market in the next three years that may involve processing personal information.

The ICO advises that those interested in a wider perspective on quantum technologies and their use cases to refer to the DRCF Quantum Technologies Insights Paper published in August 2023.

Activities of the DRCF member regulators

The DRCF is a cooperation of UK regulators with responsibilities for digital regulation (including the ICO, the Competition and Markets Authority (CMA), the Office of Communications (Ofcom), and the Financial Conduct Authority (FCA). As quantum technologies develop, the DRCF continues to engage on understanding and responding to the regulatory needs of the quantum ecosystem. Their update, published on December 4, 2024, discusses significant technological advancements and regulatory progress over the past year.

Technological advancements

DRCF member regulators are building their understanding of quantum technologies through ongoing communication with the industry, the Government, and academia. The report notes the progress in quantum computing and communication (including in quantum computing hardware, software, and error correction), concluding that 'the progress achieved over the last year suggests the era of fault-tolerance and quantum advantage may be closer than previously thought.' Notable achievements mentioned include quantum key distribution over longer distances using existing subsea fibre cables between the UK and Ireland.

The anticipated impact of future quantum computers on the security of communications and personal and financial data has been highlighted as a key near-term risk issue for the DRCF members with information and data security-related responsibilities. The PQC standards released by NIST and discussed above are designed to address this risk. The NCSC has updated its guidance on PQC and the DRCF continues to work with the NCSC and supports its initiatives, allowing a shared approach to the change.

Responsible innovation

The UK has launched five quantum missions aimed at establishing itself as a leader in quantum technologies, including the opening of the National Quantum Computing Centre (NQCC) and the launch of the Responsible Quantum Industry Forum (RQIF) in January 2024 by the NQCC, techUK, and UKQuantum. In November 2024, the RQIF published a set of principles for the quantum industry to help guide the responsible development and use of quantum technologies and will work towards supporting UK quantum startups to incorporate these principles into their values and operations. The NQCC has also published its quantum STATES principles for responsible and ethical quantum computing. These focus on transparency and explainability in quantum computing, as well as the emphasis on mitigating risks which is relevant to the DRCF's aim to protect consumers and their information rights.

Regulatory engagement and future outlook

The update reports on several industry, government, and academia engagement activities undertaken by the DRCF over the past year, including working with the NCSC on the transition to quantum-secure systems and participating in international standards development.

The transition to quantum-secure systems has been highlighted as the likely area of focus for many DRCF members in the next year. As they prepare for the International Year of Quantum 2025, DRCF members will also continue their ongoing engagement, discussions with the industry and other regulators, and sharing of insights to ensure responsible innovation and public interest protection.

What should organizations do?

Organizations are encouraged to transition to PQC as soon as possible. As your organization does so, it may face challenges, such as the risk of exposing personal information due to errors in system misconfiguration, which could lead to mandatory personal data reports to the ICO (and potentially other relevant regulators, dependent upon the sector in which an organization operates). To navigate this shift to quantum-secure systems, you should:

• collaborate with providers and third parties, managing complex data processing across various systems and devices;

• assess your risk exposure (in the immediate and near future), for example, identify high-risk information, critical systems, and at-risk cryptography;
• refer to and ensure compliance with the NIST standards and NCSC guidance (if and as required under applicable UK/EU Network and Information Systems Regulation (NIS) and NIS 2, and EU and UK General Data Protection Regulation (GDPR) and electronic identification, authentication, and trust services (eIDAS) legislation, governing ID verification and authentication schemes and, in due course, the draft UK Data (Use and Access) Bill, which also addresses verification service providers);
• protect information processing - implement basic, day-to-day cyber hygiene to avoid significant risks to personal information and prevent potential economic and personal harm; and
• when using other quantum secure technologies, complete a Data Protection Impact Assessment (DPIA) if processing is likely to result in a high risk to privacy rights.

What else do organizations need to know about quantum technologies?

Where quantum imaging can (literally) see around corners or behind walls, an organization may be able to identify a person from a low-resolution image (and therefore processing personal information). If deployed in CCTV/video surveillance in a public space, such as a hospital, the organization may hold additional information about patients and staff. This underlines the importance of DPIAs for the use of emerging technology.

This raises significant issues around the risks presented to privacy, which are a natural extension of those that arise from facial recognition technology and biometrics and the processing of such quantum imaging which may, although seemingly, remote, allow a controller to identify individuals using such imaging (which previously - given the current state of the art - did not raise any material privacy issues; since the individuals in question are not identifiable or identified). This may also have an impact on the extent to which personal information may need to be anonymized or pseudonymized. Specifically, post-quantum cryptography may need to be applied, as an additional protection to preserve the anonymity or pseudonymization of such data.

Some of the above may seem far-fetched. But then so did a purely digital currency-based economy (until the arrival of COVID-19). We would advise starting to build these developments and the opportunities and risks quantum presents to ensure that short, medium, and longer-term commercial data strategy, cybersecurity, and compliance programs remain current and do not become unnecessarily outdated. Planning early, even if at an incremental level initially, may make all the difference in five, 10, and 15 years' time.

Philip James Partner, Global Privacy & Cybersecurity Group
[email protected]
Michael Bahar Partner, Co-head Global Privacy & Cybersecurity Group
[email protected]
Anna Allen Senior Associate, Privacy, Information & Cybersecurity
[email protected]
Eversheds Sutherland, London and Washington

1. See: https://www.eversheds-sutherland.com/en/united-states/insights/quantum-computing-and-the-threat-to-existing-encryption
2. See: https://www.eversheds-sutherland.com/en/united-states/insights/quantum-computing-and-the-threat-to-existing-encryption