25 Nov Free Wi-Fi: recommendations for a privacy-proof service

Authors: Sara Pecoraro, Francesca Tugnoli, Giada Iovane

Nowadays, it is common to find free Wi-Fi connectivity in public places such as conference halls, trains, gyms, hotels, shopping centres, offices, and restaurants [1]. Many entities, both in the public and especially in the private sector, have areas with free Wi-Fi connection (so-called ‘Wi-Fi Zones’) within their own premises and in spaces open to the public, in order to ensure that people have access to the Internet. This implies that such entities process the personal data of users when providing Wi-Fi service. Consequently, there is a need to comply with the data protection provisions that are in force. Firstly, those functional in guaranteeing data protection and security “by design”, pursuant to Articles 24 and 25 of Regulation (EU) no. 2016/679 (hereinafter, the “GDPR“).

It is the, therefore, necessary to identify those who offer the free Wi-Fi connection service (so-called ‘service providers’), this is to distinguish them from those who provide electronic communication services (so-called ‘resource providers’), the latter being subject to specific regulatory requirements and obligations [2].

The free Wi-Fi service: Recommendations of the Italian Data Protection Authority and privacy obligations

The Italian Data Protection Authority (hereinafter, the “Authority“) recently expressed its opinion regarding the correct application of the rules on the protection of personal data in connection with the provision of free Wi-Fi services in decision No. 201 of 29 October 2020[3]. The Authority, in expressing its “Opinion on the draft Guidelines prepared by AgID” (hereinafter, the “Opinion”)[4], issued useful indications to guide all those private sector entities that, intend to offer to their users a free Wi-Fi connection service.

From the analysis of the aforementioned Opinion, important clarifications emerge on the distinct roles, responsibilities and privacy obligations of service providers and resource providers.

In particular, the Opinion suggests that the following burdens are imposed on resource providers:

• • • Obligations to identify users and to store internet traffic data;
    • Setting up tracking systems functional to achieving the provisions of the previous point; and
    • Providing a specific information notice pursuant to Article 13 of the GDPR as a data controller.

On the other hand, service providers must:

• • • Equip themselves with user identification systems, for instance through the implementation of a so-called captive portal [5]. This is to avoid anonymous access to the network and enable the perpetrator of any unlawful conduct to be traced, collecting only the strictly necessary data, in compliance with the principles of proportionality and data minimization. To this end, the Authority considers it sufficient to simply store “data relating to user connection and disconnection”[6];
    • Identify the retention periods for personal data collected for user identification purposes in compliance with the principles of storage limitation and accountability[7];
    • Comply with the principle of transparency[8] by use of a specific information notice to the data subjects pursuant to Article 13 of the GDPR that is made available, for instance, within the Wi-Fi free access portal; and
    • Update, accordingly, the record of processing activities with a detailed description of the processing resulting from the free Wi-Fi service.

The Authority represents the general need for the aforementioned parties to comply with the security obligations set out in Article 32 of the GDPR and Article 132-ter of Legislative Decree No. 196/2003 (“Personal Data Protection Code”), by identifying and adopting technical and organizational security measures appropriate to the risk, to be subject to periodic verification.

Finally, the Authority highlighted the need for a correct configuration of the respective privacy roles of the service provider and the resource provider. From the Opinion, it is reasonable to draw the following conclusions, to be assessed on a case-by-case basis:

• • • The service provider would act as a data controller of the data collected for the purpose of identifying the users accessing the free Wi-Fi network, in order to allow the perpetrator of any unlawful conduct committed in the use of the Wi-Fi network to be traced[9]; and
    • The resource provider, on the other hand, would act with a ‘double hat’ of both data controller, for the processing of the data connected with the provision of the electronic communication service in compliance with the regulatory obligations incumbent on it. It would act as a data processor on behalf of the service provider, and also for a security purpose of the service provider. It follows, therefore, that it is necessary to enter into a specific agreement pursuant to Article 28 of the GDPR in cases where the resource provider actually plays an instrumental role for the service provider with respect to the processing of the personal data of the users collected within the free Wi-Fi service.

[1] Ensuring the “right” to connect is one of the main objectives of the European Union: wireless and free connectivity is considered the main tool to bridge the so-called digital divide. In particular, the European Parliament and the Council of the European Union have intervened on the subject through several Regulations, most recently Regulation (EU) No. 2021/1153 of 7 July 2021, establishing a Connecting Europe Facility (“CEF”) and repealing Regulations (EU) No. 1316/2013 and (EU) No. 283/2014, in order to stimulate the development of free wireless connectivity. The establishment of an EU-funded program called ‘WiFi4EU’ is relevant too, which aims to provide free Wi-Fi in town halls, public parks, and other centers of public life, https://wifi4eu.ec.europa.eu/#/home.

[2] See Article 96 of the Electronic Communications Code, as amended by Law No. 228 of 24 December 2012; Articles 123, 132, 132-ter of Legislative Decree No. 196 of 30 June 2003 “Personal Data Protection Code”; Article 24 of Law No. 167, as well as the General decision of the Italian Data Protection Authority of 17 January 2008 concerning the “Security in telephone and internet traffic data”, Web doc. No. 1502599, subsequently supplemented by the General Decision of 24 July 2008 “Regulatory transposition on the subject of telephone and internet traffic data”, Web doc. No. 1538224.

[3] Italian Data Protection Authority, decision no. 201 of 29 October 2020 “Opinion on the draft of the Guidelines prepared by AgID”, Web doc. No. 9487928. The draft of “Guidelines for the provision of the public Wi-Fi free service” can be found at this address: https://docs.italia.it/AgID/documenti-in-consultazione/lg-pubblicowififree/it/bozza/index.html.

[4] This measure would be specifically addressed to the Agency for Digital Italy (“AgID” – www.agid.gov.it), i.e., the technical agency of the Italian Prime Minister’s Office whose task is to ensure the implementation of the objectives of the Italian Digital Agenda and to contribute to the spread of the use of information and communication technologies, fostering innovation and economic growth. These guidelines would, in particular, be addressed to the entities referred to in Article 2(2) of the Digital Administration Code, i.e., publicly controlled companies, public administrations and public service operators (see Article 2(2) of the Digital Administration Code, https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2005-03-07;82).

[5] ‘Captive portal’ is the term used to define the web page that is shown to users in order to authenticate themselves before accessing the Internet via a Wi-Fi connection.

[6] Italian Data Protection Authority, Decision No. 201 of 29 October 2020, cited above.

[7] Art. 5(1)(e) and (2) of Regulation (EU) No. 2016/679.

[8] Art. 5(1)(a) of Regulation (EU) No 2016/679.

[9] As a rule, as also suggested by the Data Protection Authority in Decision No. 201 of 29 October 2020, cited above, the perimeter of service providers includes only data relating to the identification of users and connection and disconnection logs.