Tag Archive: Wi-Fi

GERMANY: Amended Liability Laws to Promote Public Wi-Fi

By: Dr. Thomas Jansen and Mari Martin

On May 11, 2016, the German coalition government agreed to amend the Telemedia Act, which sets the framework for Internet usage across Germany, in order to limit fault liability for Wi-Fi providers. The new regulation states that Wi-Fi providers will not be held liable for the illegal activities of persons using the service. This means that Wi-Fi providers are not responsible for users’ potentially illegal web activity, which may include copyright violations and illegal access to music, movies, and computer games. In the past, Wi-Fi operators in Germany have faced liability for the misconduct of users, regardless of their degree of fault. This left many businesses in Germany reluctant to provide public Wi-Fi access. With these amendments, the German government intends to encourage an increase in the number of Wi-Fi hotspots available in the country. This amendment clarifies that both private and commercial Wi-Fi service providers, such as restaurants or hotels, can rely on the so-called “liability privilege,” meaning they will no longer be liable for users’ online activity. However, some hurdles to an open Wi-Fi structure remain. The new law would require users to give their Wi-Fi host a written assurance that they will not act illegally before signing into the network. In addition, hotspot providers must provide “adequate” electronic security, for example, through the use of encryption methods. The amendment is the latest step in the coalition government’s “Digital Agenda,” which is aimed at improving electronic capabilities nationwide. Currently, far fewer hotspots are offered in Germany than in other EU countries such as the UK and France. With this amendment, the German government intends to change this. “We hope for an impulse so that, for example, cafés or airports or simply a private person can open his WLAN and make it accessible to others,” said Tanja Alemany, spokesperson for the German Economy Ministry. Potential hotspot providers who until now have been hesitant to provide public Wi-Fi access should now feel more secure in offering such hotspots. However, the law has been criticized by retailers, providers, and privacy activists. In particular, the provision requiring “adequate” electronic security was criticized by Germany’s HDE retailers’ federation as setting a legal “trap” because of the vague langue used in the rules regarding how the Wi-Fi is to be made electronically secure. The Bundestag is likely to debate the amendment in the coming weeks. The legislation is expected to enter into force later this year.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-amended-liability-laws-to-promote-public-wi-fi/

Extent of mobile location tracking in the UK laid bare by new report

An e-privacy organisation has today released the findings of an investigation which reveals the extent of mobile location tracking in the UK.

The report, published by Krowdthink Limited, examines the contracts, policies and practices of mobile Wi-Fi service providers in relation to location tracking.

According to the report, mobile and Wi-Fi service providers know – ‘without you knowing – where you are, how you got there and can figure out where you are going.’ Many people are location-tracked by their mobile phone device each day, unaware of the highly sensitive data that this generates which can and is then sold on for profit. The report reveals that many mobile phone and Wi-Fi service providers, including wireless hotspots, are not telling customers upfront at the point of contract signature or online via their websites that the customer’s movements will be tracked and location data (which can be saved for up to 12 months) can then be used for marketing purposes or sold onto third parties. The details of this is often concealed in contracts and the fact that customers can opt out of location tracking is often unclear.

The level of detail extracted by service providers can reveal a customer’s gender, sexual orientation, religion and many other personal details that could present serious risks to blackmailing. Mobile phone service providers often anonymise data which means that they are not legally obliged to ask for consent, however customers need to be aware of the weakness of anonymisation alone to secure our personal information as low dimension data can be de-anonymised.

93% of UK citizens opt in to location tracking by default, meaning that nearly every one of us with a mobile phone, even a simple one, is being location tracked all the time. Under the Data Protection Act (DPA), consumers can opt out of this by contacting their service provider and following the introduction of the General Data Protection Regulation (GDPR) we will, in certain circumstances, have the right to have all of our data erased (the so-called “right to be forgotten”).

The GDPR will require mobile phone service providers and providers of Wi-Fi networks to provide more transparent and consumer friendly privacy contracts. At the moment, the report has found that  many of these contracts  separate out the clauses that discuss what data is collected from consumers from the clauses that discuss usage with location . Service providers try to legitimise their obtaining of location data as something that is needed for routing phone calls or meeting the requirements of government security, however this is not always true.

Mobile phone companies and providers of Wi-Fi networks should consider doing the following:

  •  communicate privacy notices, including information about location tracking, at the point that data is first collected from users;
  • ensure consent is obtained to the use of location tracking data, in accordance with the Privacy and Electronic Communications Regulations;
  • make privacy policies as clear, transparent and consumer friendly as possible;
  • ensure privacy policies communicate to data subjects what their rights are;
  • consider providing users with easy to follow instructions about how to switch off GPS or Wi-Fi location tracking features;
  • ensure users understand who location data will be shared with and for what purposes; and
  • only retain location data for as long as is necessary to fulfil the purposes for which it was collected.

You can find Krowdthink’s report here – http://www.krowdthink.com/report.pdf

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/extent-of-mobile-location-tracking-in-the-uk-laid-bare-by-new-report/

UK – ICO ISSUES GUIDANCE ON WI-FI LOCATION ANALYTICS

Earlier this month, the UK data protection authority, the Information Commissioner’s Officer (“ICO”), published guidance on safely processing personal data derived from Wi-Fi location analytics. This guidance is important not only to retail businesses who provide Wi-Fi networks to their customers, but also to companies who just provide Wi-Fi access solely to their employees. With most large organisations and businesses now providing Wi-Fi access it is certainly a fitting time to consider this issue.

 

Wi-Fi analytics is the ability of businesses to track customers or employees using the media access control (MAC) address which a Wi-Fi enabled device transmits when it is searching for Wi-Fi networks.

 

By monitoring signal strength organisations can estimate the distance of a device from a particular access point and, in effect, monitor the location of a device and track the behaviour of a particular device over time.

 

If an individual can be identified from a MAC address, or other information in possession of the network operator, then the data will be personal data – regardless of whether the name of the individual remains unknown. Where an organisation uses a MAC address or other unique identifier to track a device with the purpose of singling them out or treating them differently, or storing or using that information in any way, it will be processing personal data. As there is no requirement for the device to connect to the Wi-Fi network there is also a risk that data relating to an individual is processed in a covert manner.

 

With businesses now seeing the benefits of using Wi-Fi analytics to monitor their customers and employees, this guide outlines some of the ways privacy-friendly design solutions can be embedded to ensure compliance. The guidance outlines that businesses should be providing clear and prominent information to alert individuals that certain processing is taking place. Recommended notification methods include the use of signage at the entrance to the collection area or information on websites (for example in a privacy policy) and in any sign-up or portal page of the Wi-Fi network the business may be providing.

 

The guidance also reiterates that organisations using Wi-Fi analytics should take care to avoid excessive data collection and to reduce the risk of identification of individuals in the collected data. By way of example, this could be accomplished by converting the MAC addresses into alternative formats that continue to suit the specified purposes whilst removing the identifiable elements. Location of the data collection device as well as sampling methods could also be used to reduce the volume or privacy intrusion of the data collected or to define specific collection periods. Organisations should also be considering the use of effective control mechanisms allowing individuals a simple and effective means to control the processing.

 

It is now clear that the processing of device identifiers collected through the provision of Wi-Fi networks can involve the processing of personal data. In light of this, if you use Wi-Fi analytics you must now begin to implement the ICO’s guidance to ensure that they remain compliant. In summary, you should:

 

  • understand what personal data you collect over your Wi-Fi network, including MAC addresses and location data;
  • provide clear and prominent notices – in privacy policies, on the log-in pages for Wi-Fi networks and in physical locations such as shop floors;
  • consider anonymising MAC addresses if your analytics can be carried out in this way;
  • try other data minimisation techniques, such as sampling, to reduce the volume of personal data collected.

 

You can find the ICO guidance here – https://ico.org.uk/media/for-organisations/documents/1560691/wi-fi-location-analytics-guidance.pdf

 

For more information about the issues contained in this post, please contact Andrew Dyson, Partner (andrew.dyson@dlapiper.com), JP Buckley, Legal Director (jp.buckley@dlapiper.com) or James Clark, Associate (james.clark@dlapiper.com), all at DLA Piper UK LLP.

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-ico-issues-guidance-on-wi-fi-location-analytics/