WiFi and/or Bluetooth track­ing (WiFi track­ing for short) is a tech­nique used to fol­low large groups of people and to ana­lyse their pat­terns of move­ment, for example at a train sta­tion or in a shop­ping centre. Although WiFi track­ing may have valu­able and social func­tions – such as crowd man­age­ment to ensure people’s safety – the ques­tion arises as to how it relates to the right to pri­vacy. This blog will dis­cuss the cur­rent leg­al regime regard­ing WiFi track­ing, the devel­op­ments in that con­text, and the con­sequences for those involved and for organ­isa­tions that want to use of WiFi track­ing.

 

What is WiFi track­ing?

In short, WiFi track­ing causes the sig­nal from a smart­phone or tab­let, for example, to be cap­tured by meas­ur­ing equip­ment, which can then determ­ine the device’s loc­a­tion, among oth­er things. What people fail to real­ise is that to receive these sig­nals, no act­ive action by the hold­er of the device (such as log­ging on to a WiFi net­work) is required. WiFi track­ing is not notice­able and often it can­not be ascer­tained wheth­er it has taken place and when.

 

Which leg­al regime applies?

If an organ­isa­tion wants to apply WiFi track­ing or a data sub­ject wants to oppose it, there are vari­ous leg­al regimes to con­sider. Firstly, the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) applies; secondly, although this is still in debate, the Tele­com­mu­nic­a­tions Act (Tele­com­mu­nic­atiewet, Tw) may also apply.

 

The applic­a­tion of the GDPR fol­lows from the fact that in the con­text of WiFi track­ing, a com­bin­a­tion of data is col­lec­ted that may indir­ectly or dir­ectly identi­fy a spe­cif­ic per­son. As people are often in the same loc­a­tion as their smart­phone, the loc­a­tion of the phone (in com­bin­a­tion with, for example, cam­era images, WiFi login data or a loy­alty card) is likely to provide inform­a­tion about its own­er. (Partly) because the anonym­iz­a­tion of data in WiFi track­ing is tech­nic­ally com­plex, per­son­al data are almost always being pro­cessed – as such, WiFi track­ing must take place in com­pli­ance with the GDPR.

 

At present, there is still uncer­tainty as to wheth­er, in addi­tion to the GDPR, the “cook­ie” rules of the Tw also apply to WiFi track­ing; this would res­ult in per­mis­sion being required for WiFi track­ing. The reg­u­lat­or under the Tw, the Neth­er­lands Author­ity for Con­sumers & Mar­kets, has not expressed an opin­ion on this. Since the Tw is to be replaced by the e-Pri­vacy Reg­u­la­tion, which will con­tain spe­cif­ic rules con­cern­ing WiFi track­ing, its con­tent will determ­ine the future of WiFi track­ing.

 

Con­sequences of the applic­ab­il­ity of the GDPR

The applic­ab­il­ity of the GDPR has major con­sequences for organ­isa­tions that use WiFi track­ing. For example: WiFi track­ing is deemed jus­ti­fied only if the data sub­jects are informed about it and if there is a “basis” for pro­cessing their data. These two require­ments are not eas­ily met.

 

As to the oblig­a­tion to provide inform­a­tion: (inat­tent­ive) data sub­jects are not and can­not be (suf­fi­ciently) informed about WiFi track­ing. This may res­ult in prac­tic­al objec­tions – for example, when meas­ure­ments in traffic are con­cerned.

 

Private organ­isa­tions have only lim­ited options in select­ing a basis for car­ry­ing out this activ­ity: (i) con­sent, (ii) per­form­ance of an agree­ment or (iii) legit­im­ate interest. If the basis is (i) con­sent, the cur­rent prac­tice of WiFi track­ing fails to sat­is­fy the (strict) require­ments applic­able to this basis. As per­son­al data cur­rently are col­lec­ted auto­mat­ic­ally, and undetec­ted, through WiFi track­ing, data sub­jects often can­not give their pri­or con­sent, for example. In addi­tion, in most situ­ations where Wi-Fi track­ing is applied (ii) no agree­ment has been con­cluded with the data sub­jects (on the basis of which WiFi track­ing is neces­sary). The basis of (iii) legit­im­ate interest might offer a solu­tion, but the Dutch DPA inter­prets this basis strictly (e.g., indic­at­ing that using this basis is impossible in the event WiFi track­ing is car­ried out for a com­mer­cial pur­pose). What is more, the Dutch DPA indic­ates that in any case WiFi track­ing is allowed in very few cases and only under very strict con­di­tions. In this con­text, DPA Chair­man Aleid Wolf­sen said that “there are vir­tu­ally no reas­ons to legit­im­ately fol­low shop­pers or trav­el­lers”.[1]

 

In short: select­ing a basis for WiFi track­ing seems an impossible task, the more so where spe­cial cat­egor­ies of per­son­al data (e.g. about someone’s reli­gious beliefs, when vis­it­ing a mosque) may also be col­lec­ted, as in such a case, bases (ii) and (iii) can no longer offer a solu­tion. This means that a crit­ic­al assess­ment must also be made of the places where WiFi track­ing can take place.

 

Devel­op­ments con­cern­ing the e-Pri­vacy Reg­u­la­tion

The European Commission’s (“EC”) pro­pos­al for the e-Pri­vacy Reg­u­la­tion provides – briefly put – that WiFi track­ing is pro­hib­ited unless a clear and vis­ible mes­sage is dis­played that includes inform­a­tion about the meas­ures that may be taken to ter­min­ate the WiFi track­ing. In the ver­sion of this e-Pri­vacy Reg­u­la­tion amended by the European Par­lia­ment[2], and the later ver­sion of the Coun­cil of Europe[3], this art­icle is inter­preted (even) more strictly. On that basis, WiFi track­ing is only per­mit­ted if con­sent has been giv­en or if the data are used (in short) only for stat­ist­ic­al pur­poses.

 

European author­it­ies are cur­rently debat­ing the con­di­tions under which WiFi track­ing is per­mit­ted. The EC pro­pos­al sup­posedly under­mines the pro­tec­tion offered by the GDPR, for example.[4] Although the amended pro­pos­als pro­tect the rights of data sub­jects to a great­er extent, poten­tially use­ful ana­lyses may no longer be car­ried out if they become effect­ive (since in prac­tice, obtain­ing val­id con­sent is not yet part of the sys­tem). The debate on how to make obtain­ing con­sent tech­nic­ally pos­sible is in full swing, how­ever. Tech­nic­al default set­tings to sig­nal WiFi track­ing on mobile devices, to be con­sen­ted to or not, might be a solu­tion, but do not exist today.

 

WiFi track­ing and pri­vacy legis­la­tion: a thing for the future

Because there is still a great deal of uncer­tainty both about cur­rent and future leg­al frame­works, it has become less clear for organ­isa­tions when they can use WiFi track­ing, and less clear for data sub­jects when they may be sub­jec­ted to it. Accord­ingly, the legis­la­tion con­tains a loop­hole that is cur­rently insuf­fi­ciently addressed by the reg­u­lat­ors involved. Future legis­la­tion is anti­cip­ated to provide great­er clar­ity and to do justice both to the pro­tec­tion of data sub­jects and to the oppor­tun­it­ies that WiFi track­ing has to offer.

 

[1] https://autoriteitpersoonsgegevens.nl/nl/nieuws/bedrijven-mogen-mensen-alleen-bij-hoge-uitzondering-met-wifitracking-volgen .

[2] http://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html?redirect.

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_6771_2019_INIT&from=EN.

[4] European Data Pro­tec­tion Super­visor, opin­ion 6/2017, EDPS Opin­ion on the Pro­pos­al for a Reg­u­la­tion on Pri­vacy and Elec­tron­ic Com­mu­nic­a­tions (ePri­vacy Reg­u­la­tion), p. 19-20 and Art­icle 29 data pro­tec­tion work­ing party, Opin­ion 01/2017 on the Pro­posed Reg­u­la­tion for the ePri­vacy Reg­u­la­tion (2002/58/EC), adop­ted on 4 April 2017, p. 11 – 12.