23 December 2019
A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.
On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."
The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data.
However, there are very good reasons WP29 state MAC addresses should be regarded as personal data.
Every owner of a smartphone is susceptible to being tracked and traced as they move between public WiFi networks, regardless of whether they join the network or not. While most modern devices automatically generate a random MAC address each time it connects to a new network to avoid tracking, it is by no means fool-proof. Software comes with bugs or may be poorly implemented and users unknowingly and randomly switch features off and on.
The reason why the unique-assigned hardware address of the network interface of devices like mobiles, cameras, computers, cars, etc. should be regarded as personally identifiable information (PII) is because these addresses are meant to be static and thus can be tracked globally regardless of where the user goes.
In Germany, it has been considered as personal data for a long time, as have as IP addresses and IMEI.
A fake ID, such as a passport, is usually easily determined when the individual is present, but the same cannot be done with a spoofed MAC address.
This means that anyone within the EU offering public WiFi is potentially caught by GDPR, because a MAC address can be changed before or after receiving an IP address. An informed criminal could, for example, use the MAC address from your phone, then change it back after the crime is committed.
Any piece of data (e.g. MAC address) if combined with other data or not, which help to identify a living individual, should rightfully be considered PII.
Data protection is a complex area of the law. Our team provide clear, straightforward and up to date guidance on all aspects of data protection and GDPR to ensure your business is compliant. For a free initial consultation, contact our specialist team on 0151 659 1070 or complete our online enquiry form.
This article is provided free of charge for information purposes only. It does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by any member of the law firm.
To find how our friendly and knowledgeable solicitors can help you, contact us today.