I am trying to advise a customer about the measures he needs to put in place to ensure the GDPR compliance of his initiative using Meraki.
When an end user associates his device to an SSID, Meraki dashboard tracks the device MAC address and the logs of the activities of that device (for example associations / disassociations). This happens immediately as soon as the device associates the first time, independently if there is eventually a captive portal after, or it is a simple WPA2 or open network.
The MAC address is considered personal data in the GDPR, and, since it is not anonymized immediately after the collection, it is subject to the GDPR rules. Moreover, the logs are associated with an APs which physical location is known, so the logs track also the location of the device, plus other info (model, manufacturer, etc..)
The only lawful ground that can be used for the collection and processing of such personal data is legitimate interest.
However, to rely on this principle, the data controller must anyway provide prior notice to individuals before the data is collected. But, even in case of setting up a Splash Page with the privacy notice, that personal data is collected before and independently from the acceptance (or not acceptance) of the terms on the splash page.
What is the best practice recommended for a data controller to be able to deploy a WiFi network in compliance with GDPR? How can a data controller prove the legitimate interest in collecting and processing such personal data in clear and for such a long time?
You make a good point. I'm no lawyer so I don't know the specifics around storing a MAC address without prior consent. I do know that Meraki has dashboard features and API calls to remove that information upon user request. More info about that is here:
But that doesn't stop the AP from collecting the MAC-address upon first connection. Then again, the user does choose to connect to the Wi-Fi network, so I guess in a way that's consent? Do you know of any other vendors that are able to get around the requirement of storing the MAC-address when a user connects to the splash page. Seems technically impossible?
I don't know the answers. Check out this GPDR blog article on the Meraki perspective.
I am not a lawyer as well, but I understood that "consent" and "legitimate interest" are two different lawful grounds to collect and process personal data. Just associating to an SSID is not a freely given, informed and explicit consent to give "someone" (who?) the right to see and process the MAC address (personal data). So I believe it can't be considered consent.
The only way, I guess, is to leverage the legitimate interest ground. And to rely on that the GDPR requires anyway to inform the customer before, with a notice that explains at least on the first level what data is collected and who is the controller, on top of providing mechanisms to object (a prior and a posteriori) to the collection and to adopt adequate security measure for the processing itself (for example pseudonymization). And this seems to be the tricky part, in fact, I don't know any vendor doing that.
Technically it would be possible eventually, just avoiding to track the logs unless you get consent for it.
Moreover, in the end, tracking the MAC address and location (AP) by means of association logs is equivalent to tracking the MAC with the Location APIs from the end user perspective.
Looking forward to collecting opinions on this topic.