ARE MAC ADDRESSES PERSONAL DATA?

30 July 2018

• cyber security
• Cyber Law Liverpool
• data protection
• GDPR
• personal data
• Solicitors Liverpool
• GDPR liverpool
• IP address
• MAC
• MAC addresses
• media access control
• smart phone tracking

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

Every owner of a smart phone is susceptible to being tracked and traced as they move between public WiFi networks regardless of whether they join the network or not. Whilst most modern devices automatically generate a random MAC address each time it connects to a new network to avoid tracking, it is by no means fool-proof. Software comes with bugs or may be poorly implemented, users unknowingly and randomly switch features off and on.

The reason why the unique-assigned hardware address of the network interface of devices like mobiles, cameras, computers, cars, etc. should be regarded as personally identifiable information is because these addresses are meant to be static and thus can be tracked globally regardless of where the user goes.  

In Germany it has been considered as personal data for a long time, as have as IP addresses and IMEI.  

A fake ID, such as a passport, is usually easily determined when the individual is present, but the same cannot be done with a spoofed MAC address.

This means that anyone within the EU offering public WiFi is potentially caught by GDPR, because a MAC address can be changed before or after receiving an IP address. An informed criminal could for example use the MAC address from your phone, then change it back after the crime is committed.

Any piece of data (e.g. MAC address) if combined with other data or not, which help to identify a living individual, should rightfully be considered PII.