In December 2018, the Dutch Data Protection Authority clarified that counting the number of visitors in (semi) public areas using tracking technologies is only permitted under very strict conditions (in Dutch). As a result of this report, a number of municipalities have temporarily suspended WiFi tracking in the city centre. A tracking company has also announced that it will stop offering WiFi tracking as a service. Early January, a municipality tracking visitors via WiFi picked up this practice again.
We explain why the General Data Protection Regulation (GDPR) applies to WiFi tracking, what this has to do with the roles of Controller and Processor, and on which grounds organisations can appeal if they want to use WiFi tracking.
Wifi tracking means that people can be tracked using the signal from their mobile devices. Wifi tracking is "easy" because the phone does not need to be connected to a WiFi network to be tracked by a sensor. Mobile devices continuously transmit WiFi signals to connect to a WiFi hotspot. The sensor picks up the WiFi signals from the phone. These signals contain the MAC address of the phone. This makes the phone distinguishable from other devices. The sensor processes the MAC address in combination with other data, namely the signal strength of the registered WiFi signal of the device, the location of the phone, the date, and time of the measurement. Based on this data, a data analyst can provide information about the number of devices within range of the sensor and the movement behaviour of people. In this way, companies generate economic data on shopping behaviour and walking flows within certain areas.
A MAC address is a personal data at the moment it is combined with other (personal) data that can be traced back to a person. This traceability is possible via the observed location data of the mobile phone. The joint European privacy regulators (formerly Article 29 Working Party) have further elaborated this position in Advice 13/2011 on geolocation service and on smart mobile devices.
The data Controller is the one who determines the purposes for which the data are processed and by what means. The Processor is the one who processes personal data on behalf of the data controller. In the context of WiFi tracking, this may differ per case. Government parties and companies take on various roles. Several scenarios are possible. The party responsible for the processing (Controller) must enter into a processing agreement with the Processor to ensure that the personal data processed are not (re)used for other purposes. For example, a municipality hires a tracking company to track the crowd at an event. According to the Processor agreement, the company may only collect this data for this purpose and may not (re)use it for its own purposes. In this case, the municipality is the party responsible for the processing, and the tracking company is the Processor. It can also be the other way around. If the tracking company also processes the data for its own purposes, such as generating statistics or developing other services, then the company and its clients (such as the municipality) can be jointly responsible for processing. Then they are jointly responsible for safeguarding the privacy of those involved, such as shop visitors and pedestrians.
Under the GDPR, the Controller must have a legitimate legal basis for processing personal data. This also applies if an organisation processes personal data using WiFi tracking. In Article 6(1), the GDPR lists six possible principles for the processing of personal data:
Not every basis can apply to the processing of MAC addresses and location data in WiFi tracking. The principles under 3 and 4 cannot apply, because there is no legal obligation to follow people via WiFi tracking, and because no lives can be saved in acute emergencies with WiFi tracking. The relevant principles are further explained below.
If the responsible party wishes to rely on the basis of consent (Article 6(1) under a of the GDPR), the party concerned must be able to give its prior consent to the party that wants to track it using WiFi signals. Such consent is only valid if a data subject gives freely and if his consent is based on specific information, without any ambiguity. It is quite difficult to ask a pedestrian for permission in advance. The sensor makes no distinction between the telephone owner who has or has not agreed to be followed by means of WiFi tracking. In order to obtain valid consent, the tracking company or the client must inform the data subjects properly about the processing of the MAC addresses and other telephone data. But just hanging up a poster is not enough. In short, the basis to "ask permission from the data subject" usually does not provide a good basis for WiFi tracking, because in practice it is difficult to ask permission in advance from random pedestrians or shoppers.
The basis of processing on the basis of an agreement (Article 6(1), under b of the GDPR) is also not applicable in this context, because shopkeepers and municipalities have no agreements with random passers-by or the shopping public.
Only administrative bodies can base the processing of personal data on the basis of the need to perform a task in the public interest or in the exercise of public authority (Article 6(1)(e) GDPR). Administrative bodies can use WiFi tracking when it is really necessary to carry out a public task. It is therefore not enough that the processing is "handy" for the performance of a public task, such as maintaining public order or being able to take data-driven decisions about the design of shopping areas, for example. The administrative body must be able to substantiate that the infringement of privacy is necessary. In doing so, those responsible must, as in the case of the basis of legitimate interest, assess it in the light of the principles of proportionality and subsidiarity. This means that you have to ask yourself whether processing in this way is really necessary, i.e. whether you are not processing too much or too sensitive data, and whether you cannot collect the data in another way, in which you do not harm the privacy of the people involved or harm it less.
The promotion of the legitimate interest (basis 6) of the organisation can also serve as a basis for processing MAC addresses in WiFi tracking. This basis is not suitable for administrative bodies when carrying out a public task, but it is suitable for companies. For example, a lessor of retail space may have a legitimate interest in collecting business economic information about the number of visitors per store over time. However, the organisation must weigh this interest against the interests of the shop visitors and passers-by. According to the Data Protection Authority, commercial purposes cannot serve a legitimate interest when it comes to following people in the public space (Dutch). The Dutch Data Protection Authority writes (in a public statement on cameras in billboards):
"A private party will not easily have a basis for processing personal data in a public space, not being private property, without permission from or without contract with a data subject on cameras in billboards. This because private parties in principle have no authority there, and the processing of personal data in a public space without permission and/or contract is primarily the responsibility of, or must have been made possible by, the (legislative) government."
It is questionable whether this assessment will hold up if a tracking company or another responsible person who uses the services of a tracking company would take legal action against this.
The Article 29 Working Party provides a clear explanation that processing operations can quickly pass the test of legitimate interest, provided they do not conflict with laws and regulations. Therefore, a commercial interest can indeed be a legitimate interest. Much more important are the following two parts: whether the processing is proportional, and whether the processing in individual cases does not harm certain people too much. In the latter case, you must take measures to prevent this.
The tracking company can minimize the negative consequences for those involved, for example by anonymizing the measurement data immediately, on the sensor. Moreover, the distinction seems rather arbitrary whether the space is privately or publicly owned. The stations, for example, and enclosed shopping malls, are usually privately owned. It cannot be explained that these parties may have a legitimate interest in the use of WiFi tracking.
In short, the GDPR applies to WiFi tracking because personal data (including MAC addresses of mobile devices) are processed. In addition, in the context of WiFi tracking, the Controller and Processor may differ per case, because several constructions are possible. It is important to see which party determines the means and the processing purposes.
Our following blog will explain which principles from Privacy by Design may apply to the design of a tracking technique such as WiFi tracking. By means of Privacy by Design, a tracking company can generate statistics based on WiFi signals with a minimal privacy impact on those involved. If you need support with these or other tasks, please feel free to contact us.