Three privacy challenges surrounding Wi-Fi tracking | Privacy | Deloitte Netherlands


Every step you take: three privacy challenges surrounding Wi-Fi tracking 

This May, Dutch media reported that - apart from many commercial organizations - over 60 Dutch municipalities nowadays use Wi-Fi tracking.* Wi-Fi tracking seems ‘booming business’ for companies and governments alike, but a lot of questions regarding this technology remain unanswered. In this blog, we will provide some basic information and highlight three important challenges.

Written by Lucie Runia | September 23, 2019

What is Wi-Fi tracking?

Wi-Fi tracking equipment picks up the MAC addresses of individual devices to collect location data; it tracks the movements of people based on the movements of their individual cell phones, tablets and laptops. A MAC address is a twelve-digit string of numbers and letters, used to identify computer network adapters. Because every device has a unique MAC address, MAC addresses are considered personal data. A device that has its Wi-Fi functionality switched on continuously broadcasts its MAC address, in search of nearby Wi-Fi networks it could connect to. Wi-Fi tracking sensors pick up those signals.

For which purposes can your organization use Wi-Fi tracking?

Commercial organizations may use Wi-Fi tracking, for example, to assess whether their shops are located in the most beneficial areas or to determine which shops perform better than others (e.g. based on the time spent by visitors in a certain shop). Public bodies may use Wi-Fi tracking to assess whether policies or programs regarding a certain area have been effective, to be able to control large visitor flows (e.g. during events) or to become better informed on topics like parking problems, safety and the accessibility of certain areas.

Challenge #1: Anonymized or not?

One of the largest companies specialized in Wi-Fi tracking technologies in the Benelux states that the MAC addresses picked up by their sensors are first pseudonymized (using a hashing algorithm), after which they are ‘anonymized’ by deletion of part of the digits of the hashed MAC address. Because the company considers the data it processes anonymized - and because anonymized data does not fall within the material scope of the GDPR - it asserts that the GDPR does not apply to its Wi-Fi tracking activities. However, it is debatable whether these methods render the data truly anonymized. If the purpose of Wi-Fi tracking is to track the movement of individuals over a certain period of time, Wi-Fi tracking companies need to remain able to link the ‘anonymized’ data in their databases to the MAC-addresses their sensors pick up. This - by definition - means that the data in their databases can be traced back to a unique device (and, thus, to an identifiable natural person).

Challenge #2: Legal basis

For the sake of exploring some of the challenges surrounding Wi-Fi tracking, let’s assume that the data processed by Wi-Fi tracking equipment is not anonymized and that the GDPR applies to it. This would mean there needs to be a legal basis for Wi-Fi tracking to be legitimate.

For commercial organizations, ‘legitimate interest’ or ‘consent’ are the only realistic options to be explored. In a 2015 report, the College Bescherming Persoonsgegevens (or ‘CBP’, the predecessor of the Dutch supervisory authority) articulated that Bluetrace – a supplier of Wi-Fi tracking technology – had a legitimate interest in processing MAC addresses. This legitimate interest was ‘collecting data regarding crowd numbers and shopping behavior’. However, the CBP added that the use of Wi-Fi tracking was not proportionate in this case, because sensitive (location) data was being gathered 24/7 in an excessively large area. Under these circumstances, the CBP concluded that Bluetrace could not invoke legitimate interest as a legal basis. Nevertheless, it is not inconceivable that the CBP would have decided differently if the geographical scope and the timeframe of the Wi-Fi tracking had been limited.

An alternative legal basis for the processing of MAC addresses for Wi-Fi tracking purposes could be ‘consent’, but asking for consent in a GDPR-compliant manner poses many practical difficulties in the context of Wi-Fi tracking. Implicit consent is not permitted, so a clear affirmative act regarding consent for Wi-Fi tracking is required from each passer-by. The number of passers-by makes this practically impossible, especially because Wi-Fi tracking is only effective by virtue of the presence of large groups of people.

Public bodies may not invoke legitimate basis as a legal basis, but could potentially rely on article 6(1)(e) of the GDPR if their Wi-Fi tracking activities are necessary for the performance of a task carried out in the public interest. This task has to be laid down in domestic or EU law, and the processing must meet the criteria of proportionality and subsidiarity.

Challenge #3: Information provision

A third hurdle to be taken when making Wi-Fi tracking activities GDPR-compliant is the information provision obligation (as specified in article 13 and 14 of the GDPR). In the Bluetrace report, the CBP concluded that Bluetrace violated the transparency principle because it did not supply the shopping public with sufficient information regarding its tracking methods. The CBP suggested shops engaging in Wi-Fi tracking to display clearly visible signs, stickers or flyers to inform shop visitors about Wi-Fi tracking activities. However, the Bluetrace report pre-dates the entry into force of the GDPR and it is unclear if the information provision requirements are still interpreted in exactly the same way.

As you can see, lots of things are still up in the air with regard to the legitimacy of Wi-Fi tracking. As always, we will keep you posted on any developments regarding this topic.

More information

Do you want to know more on our privacy services or on the challenges of Wi-Fi tracking? Please contact Annika Sponselee or Nicole Vreeman via the contact details below.

*The article referred to can be found here.

Did you find this useful?