Wi-Fi tracking and its adaptation to GDPR

Wi-Fi tracking and its adaptation to GDPR

Risk of wi-fi tracking

The competent supervisory authorities in Spain, the Spanish Data Protection Agency, the Catalan Data Protection Authority, the Basque Data Protection Authority and the Council for Transparency and Data Protection of Andalusia have drawn up Guidelines on processing incorporating Wi-Fi tracking technology, which analyse the implications of this technology in view of the data protection risks that are beginning to be present in our daily lives. 

We know that Wi-Fi tracking is a technological tool that allows us to identify and track mobile devices through the Wi-Fi signals they emit, detecting the presence of the device in a specific area and identifying movement patterns. We see this technology applied in a multitude of scenes in our society: used for the analysis of flows of people, capacity, permanence, exit and a long etcetera. 

So much so that it offers us great competitive powers for the development and promotion of our daily lives that this utility is proliferating every day in more disparate areas of application, which is why the data protection authorities are trying to echo its implications in the processing of personal data.

The risk involved in tracking the movements of individuals without their awareness or without a legal basis to provide them with certainty about such processing is driving progress in regulatory compliance, which is becoming increasingly sophisticated and comprehensive in terms of data subjects rights. 

Data protection

Wi-Fi tracking technology, while not in itself a processing of personal data, can be a component of a broader processing. Presence and location analysis, based on this technology, can provide valuable information on the movements of devices within a given area. 

However, it is essential that data controllers carefully evaluate the available technological options and select those that minimise the impact on individuals’ privacy. 

The purposes of processing by Wi-Fi tracking must be explicit, i.e. they must be clearly stated, they must be legitimate and they must be communicated to the data subjects at the latest at the time of collection. In addition, data collected for a specific purpose by means of Wi-Fi tracking may not be used for a subsequent incompatible purpose. To this end, it is essential to ensure that the further processing does not deviate from the purposes already established for the processing, of which the data subjects must be informed.

The AEPD recalls that the purpose of the processing is not to carry out Wi-Fi tracking, so if it is possible to achieve the ultimate purpose with a less intrusive technique, the principle of data minimisation would not be complied with. If no other technique than Wi-Fi tracking were possible, in order to comply with the principle of minimisation, the data processed would have to be adjusted, in their categories, frequency, granularity, etc., to what is strictly necessary, and their retention period would have to be the minimum necessary, proceeding to their effective erasure or anonymisation, by means of automated processes whenever possible. 

Accuracy of data is crucial, especially in cases where probabilistic methods are used to establish relationships. Erroneous data must be corrected or eliminated. Security and confidentiality are indispensable requirements. The controller must demonstrate compliance with Article 6(1) of the GDPR, ensuring that the processing is necessary and proportionate.

Strengthening transparency

The authorities have determined that the data processing in question presents a high level of risk. They therefore recommend carrying out a Data Protection Impact Assessment (DPA) before starting any activity. In addition, to ensure transparency and compliance with the GDPR, it is essential to implement clear and accessible information measures, such as visible information boards, public signage, voice alerts or information campaigns.

In conclusion, the determination of a high risk in data processing marks a turning point that requires greater attention and care in the management of personal information. Of great importance are the measures put in place by the authorities seeking to ensure a balance between innovation and the protection of individuals fundamental rights.