WiFi and/or Bluetooth tracking (WiFi tracking for short) is a technique used to follow large groups of people and to analyse their patterns of movement, for example at a train station or in a shopping centre. Although WiFi tracking may have valuable and social functions – such as crowd management to ensure people’s safety – the question arises as to how it relates to the right to privacy. This blog will discuss the current legal regime regarding WiFi tracking, the developments in that context, and the consequences for those involved and for organisations that want to use of WiFi tracking.
What is WiFi tracking?
In short, WiFi tracking causes the signal from a smartphone or tablet, for example, to be captured by measuring equipment, which can then determine the device’s location, among other things. What people fail to realise is that to receive these signals, no active action by the holder of the device (such as logging on to a WiFi network) is required. WiFi tracking is not noticeable and often it cannot be ascertained whether it has taken place and when.
Which legal regime applies?
If an organisation wants to apply WiFi tracking or a data subject wants to oppose it, there are various legal regimes to consider. Firstly, the General Data Protection Regulation (GDPR) applies; secondly, although this is still in debate, the Telecommunications Act (Telecommunicatiewet, Tw) may also apply.
The application of the GDPR follows from the fact that in the context of WiFi tracking, a combination of data is collected that may indirectly or directly identify a specific person. As people are often in the same location as their smartphone, the location of the phone (in combination with, for example, camera images, WiFi login data or a loyalty card) is likely to provide information about its owner. (Partly) because the anonymization of data in WiFi tracking is technically complex, personal data are almost always being processed – as such, WiFi tracking must take place in compliance with the GDPR.
At present, there is still uncertainty as to whether, in addition to the GDPR, the “cookie” rules of the Tw also apply to WiFi tracking; this would result in permission being required for WiFi tracking. The regulator under the Tw, the Netherlands Authority for Consumers & Markets, has not expressed an opinion on this. Since the Tw is to be replaced by the e-Privacy Regulation, which will contain specific rules concerning WiFi tracking, its content will determine the future of WiFi tracking.
Consequences of the applicability of the GDPR
The applicability of the GDPR has major consequences for organisations that use WiFi tracking. For example: WiFi tracking is deemed justified only if the data subjects are informed about it and if there is a “basis” for processing their data. These two requirements are not easily met.
As to the obligation to provide information: (inattentive) data subjects are not and cannot be (sufficiently) informed about WiFi tracking. This may result in practical objections – for example, when measurements in traffic are concerned.
Private organisations have only limited options in selecting a basis for carrying out this activity: (i) consent, (ii) performance of an agreement or (iii) legitimate interest. If the basis is (i) consent, the current practice of WiFi tracking fails to satisfy the (strict) requirements applicable to this basis. As personal data currently are collected automatically, and undetected, through WiFi tracking, data subjects often cannot give their prior consent, for example. In addition, in most situations where Wi-Fi tracking is applied (ii) no agreement has been concluded with the data subjects (on the basis of which WiFi tracking is necessary). The basis of (iii) legitimate interest might offer a solution, but the Dutch DPA interprets this basis strictly (e.g., indicating that using this basis is impossible in the event WiFi tracking is carried out for a commercial purpose). What is more, the Dutch DPA indicates that in any case WiFi tracking is allowed in very few cases and only under very strict conditions. In this context, DPA Chairman Aleid Wolfsen said that “there are virtually no reasons to legitimately follow shoppers or travellers”.
In short: selecting a basis for WiFi tracking seems an impossible task, the more so where special categories of personal data (e.g. about someone’s religious beliefs, when visiting a mosque) may also be collected, as in such a case, bases (ii) and (iii) can no longer offer a solution. This means that a critical assessment must also be made of the places where WiFi tracking can take place.
Developments concerning the e-Privacy Regulation
The European Commission’s (“EC”) proposal for the e-Privacy Regulation provides – briefly put – that WiFi tracking is prohibited unless a clear and visible message is displayed that includes information about the measures that may be taken to terminate the WiFi tracking. In the version of this e-Privacy Regulation amended by the European Parliament, and the later version of the Council of Europe, this article is interpreted (even) more strictly. On that basis, WiFi tracking is only permitted if consent has been given or if the data are used (in short) only for statistical purposes.
European authorities are currently debating the conditions under which WiFi tracking is permitted. The EC proposal supposedly undermines the protection offered by the GDPR, for example. Although the amended proposals protect the rights of data subjects to a greater extent, potentially useful analyses may no longer be carried out if they become effective (since in practice, obtaining valid consent is not yet part of the system). The debate on how to make obtaining consent technically possible is in full swing, however. Technical default settings to signal WiFi tracking on mobile devices, to be consented to or not, might be a solution, but do not exist today.
WiFi tracking and privacy legislation: a thing for the future
Because there is still a great deal of uncertainty both about current and future legal frameworks, it has become less clear for organisations when they can use WiFi tracking, and less clear for data subjects when they may be subjected to it. Accordingly, the legislation contains a loophole that is currently insufficiently addressed by the regulators involved. Future legislation is anticipated to provide greater clarity and to do justice both to the protection of data subjects and to the opportunities that WiFi tracking has to offer.
 European Data Protection Supervisor, opinion 6/2017, EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), p. 19-20 and Article 29 data protection working party, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC), adopted on 4 April 2017, p. 11 – 12.