EU Regulatory Challenges for Wi-Fi – GDPR & RPEC
It is historically understood that the quid pro quo of free Wi-Fi includes some level of data sharing. Consumers know that nothing is really free – yet they expect the data cost to them to have limited consequences. This is the general thrust of the new General Data Protection Regulation (GDPR). At its core is its intention to ensure that our human rights to liberty and security, free association, freedom of expression, and ultimately the right to a private life are not undermined just because we choose to use a digital medium to engage, communicate or share information. Some businesses are aware of the GDPR and the new rights people have over “their” personal data. Far less are aware of a new regulation that is targeted to come into force at the same time (May 25th 2018). This is referred to as the Regulation that replaces the Regulation for Privacy of Electronic Communication (we don’t know yet what it’s new name will be)– and as one would expect from its name it directly applies to Wi-Fi, in fact certain clauses within its current draft explicitly refer to Wi-Fi. You may have heard of the E-Privacy directive or the ‘cookie law’ – RPEC is a replacement of this law in the context of the GDPR – they are in effect a legislative duo designed to support one another, and together they have very significant impact on Wi-Fi deployment. If these laws were not enough, there was a CJEU (Court of Justice for EU) judgment in Germany in 2016 that in effect decided all public Wi-Fi providers were in fact ISPs and thus responsible for enabling lawful pursuit of copyright infringers using that connection! (note, its probable this judgment will be refined by future judgments as its arguably untenable). However it does show the current fluid interpretation of laws around Wi-Fi as it becomes one of the most common methods of Internet access. Wi-Fi is a new legislative battleground for privacy rights, so its time to think carefully about what data you collect from your users.
As we consider making our Wi-Fi ‘Friendly’, we are increasingly being driven to become more legislation aware. In these blogs we’ll try and bring out basic understanding of the new laws. Not by taking you into the legislative detail immediately, we all have better things to do with our time, but by helping you understand the objectives of the law and the principles they are seeking to inculcate. I have already referred to the human rights legislation –both the GDPR & RPEC are seeking to clarify how to interpret these rights into daily life in the context of the technologies we use, they do this by defining principles of operation – and its those principles we will focus on to start with.
RPEC Focus for Wi-Fi
Lets start with the revised RPEC, as it directly refers to public Wi-Fi (not including an organization’s intranet). The fines for non-compliance are as big as the GDPR, €20m or 4% global turnover, and like the GDPR it will be a regulation that will be consistently implemented in every EU member state (the UK government has not yet stated it will implement the new RPEC but is likely to as it will still be in the EU when it comes into force). The goal of RPEC is to require telecommunications infrastructure providers to secure the confidentiality of communications. This is more than just the content, it also means confidentiality of a users location and the date, time and duration and recipient of a communication. So those many Wi-Fi providers collecting and processing location information will have to rethink this part of their business model. To be clear, just because it’s a ‘free’ service does not give you the right to location data exploitation (as one CIO of a public Wi-Fi provider once told me he thought was his company’s right). Oh, and as we enter the age of the IoT (Internet of Things) we should be clear that machine-to-machine communication is covered too if it relates to a user (your wearables device data for example). Further, the regulation also applies to closed social media profiles and groups that the user has restricted or defined as private. So beware using a social media login to authenticate a user and associating activities to or from it. Some Wi-Fi providers both track location within a facility and link to a social media profile. This will no longer be allowed without unambiguous opt-in consent if the legislation passes as currently drafted. Location tracking is allowed if fully anonymized, e.g. for crowd traffic management purposes (its very very difficult to anonymize an individuals location data, so be careful).
This leaves browsing data – can you track it? Yes – with explicit consent. We’ll cover more on that issue when we discuss the GDPR, because consent is no longer something to hide in the depths of a privacy contract no one reads.
You can of course collect the minimum data necessary for billing purposes or for managing the quality of service of the Wi-Fi, without consent. However be aware that if the data you collect puts someone’s human rights at risk you’ll need to be able to justify your processing.
Finally, and perhaps most importantly, if you are a venue using a 3rd party Wi-Fi provider, they should be able to communicate to you, in simple clear non-legal language (not buried in terms and conditions), what personal data they collect and what they do with it – if they cannot, steer clear (after May 2018)!
In our next blog we’ll start to cover the GDPR, which impacts many more aspects of how we deal with peoples data. Please post your questions here – many aspects of the new laws are open for interpretation so debate is healthy at this early stage.
Geoff Revill - Managing Director, Krowdthink Ltd