Are MAC Addresses Personal Data?

23 December 2019


A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data.

However, there are very good reasons WP29 state MAC addresses should be regarded as personal data.

Every owner of a smartphone is susceptible to being tracked and traced as they move between public WiFi networks, regardless of whether they join the network or not. While most modern devices automatically generate a random MAC address each time it connects to a new network to avoid tracking, it is by no means fool-proof. Software comes with bugs or may be poorly implemented and users unknowingly and randomly switch features off and on.

The reason why the unique-assigned hardware address of the network interface of devices like mobiles, cameras, computers, cars, etc. should be regarded as personally identifiable information (PII) is because these addresses are meant to be static and thus can be tracked globally regardless of where the user goes. 

In Germany, it has been considered as personal data for a long time, as have as IP addresses and IMEI. 

A fake ID, such as a passport, is usually easily determined when the individual is present, but the same cannot be done with a spoofed MAC address.

This means that anyone within the EU offering public WiFi is potentially caught by GDPR, because a MAC address can be changed before or after receiving an IP address. An informed criminal could, for example, use the MAC address from your phone, then change it back after the crime is committed.

Any piece of data (e.g. MAC address) if combined with other data or not, which help to identify a living individual, should rightfully be considered PII.

Contact our Data Protection and GDPR Lawyers Liverpool, Wirral, Merseyside and Across England & Wales

Data protection is a complex area of the law. Our team provide clear, straightforward and up to date guidance on all aspects of data protection and GDPR to ensure your business is compliant. For a free initial consultation, contact our specialist team on 0151 659 1070 or complete our online enquiry form.


Make a free enquiry, call now

0151 659 1070

Please let us know your name.

Please enter a valid telephone number

Please let us know your email address.

Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.

This article is provided free of charge for information purposes only. It does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by any member of the law firm.

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070