Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GDPR compliance of event logs with MAC address

imuccini
Here to help
‎Apr 24 2019 12:10 PM
‎Apr 24 2019 12:10 PM

GDPR compliance of event logs with MAC address

I am trying to advise a customer about the measures he needs to put in place to ensure the GDPR compliance of his initiative using Meraki.

 

When an end user associates his device to an SSID, Meraki dashboard tracks the device MAC address and the logs of the activities of that device (for example associationsdisassociations). This happens immediately as soon as the device associates the first time, independently if there is eventually a captive portal after, or it is a simple WPA2 or open network.

 

The MAC address is considered personal data in the GDPR, and, since it is not anonymized immediately after the collection, it is subject to the GDPR rules. Moreover, the logs are associated with an APs which physical location is known, so the logs track also the location of the device, plus other info (model, manufacturer, etc..)

 

The only lawful ground that can be used for the collection and processing of such personal data is legitimate interest. 

However, to rely on this principle, the data controller must anyway provide prior notice to individuals before the data is collected. But, even in case of setting up a Splash Page with the privacy notice, that personal data is collected before and independently from the acceptance (or not acceptance) of the terms on the splash page.

 

What is the best practice recommended for a data controller to be able to deploy a WiFi network in compliance with GDPR? How can a data controller prove the legitimate interest in collecting and processing such personal data in clear and for such a long time?

 

0 Kudos
Subscribe
4 Replies 4
BrechtSchamp
Kind of a big deal
‎Apr 24 2019 1:07 PM
‎Apr 24 2019 1:07 PM

You make a good point. I'm no lawyer so I don't know the specifics around storing a  MAC address without prior consent. I do know that Meraki has dashboard features and API calls to remove that information upon user request. More info about that is here:

https://documentation.meraki.com/zGeneral_Administration/Privacy_and_Security/Meraki_Data_Privacy_an...

 

But that doesn't stop the AP from collecting the MAC-address upon first connection. Then again, the user does choose to connect to the Wi-Fi network, so I guess in a way that's consent? Do you know of any other vendors that are able to get around the requirement of storing the MAC-address when a user connects to the splash page. Seems technically impossible?

Subscribe
In response to BrechtSchamp
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 24 2019 1:46 PM
‎Apr 24 2019 1:46 PM

I don't know the answers.  Check out this GPDR blog article on the Meraki perspective.

https://meraki.cisco.com/blog/2015/11/cisco-meraki-makes-eu-privacy-compliance-simple/

0 Kudos
Subscribe
In response to BrechtSchamp
imuccini
Here to help
‎Apr 24 2019 1:51 PM
‎Apr 24 2019 1:51 PM

I am not a lawyer as well, but I understood that "consent" and "legitimate interest" are two different lawful grounds to collect and process personal data. Just associating to an SSID is not a freely given, informed and explicit consent to give "someone" (who?) the right to see and process the MAC address (personal data). So I believe it can't be considered consent.

 

The only way, I guess, is to leverage the legitimate interest ground. And to rely on that the GDPR requires anyway to inform the customer before, with a notice that explains at least on the first level what data is collected and who is the controller, on top of providing mechanisms to object (a prior and a posteriori) to the collection and to adopt adequate security measure for the processing itself (for example pseudonymization). And this seems to be the tricky part, in fact, I don't know any vendor doing that.

 

Technically it would be possible eventually, just avoiding to track the logs unless you get consent for it.

Moreover, in the end, tracking the MAC address and location (AP) by means of association logs is equivalent to tracking the MAC with the Location APIs from the end user perspective.

 

Looking forward to collecting opinions on this topic.

0 Kudos
Subscribe
Aaron_Wilson
A model citizen
‎Apr 25 2019 2:48 AM
‎Apr 25 2019 2:48 AM

Simple answer, make the SSID itself a EULA (all be it a short one) 😉

A more interesting point is you can track a users device without them joining your network and without their consent. Does GDPR apply if a user does not join your network, yet you can track their fairly precise location (Bluetooth logging)?
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.