Citizens are increasingly being monitored and tracked by public authorities and commercial interests. Many carry digital devices which, by design, emit a unique identifier, such as the WiFi Media Access Control (MAC) address of a smartphone. Even though the MAC address does not directly reveal the identity of a person, it can be used for recognising individuals between different sensor points and tracking their movements. With a sufficient number of sensors, an almost complete profile of a person’s movement in a city can be obtained without consent.
The Danish Business Authority, which is the regulatory authority for the Danish transposition of the ePrivacy Directive, initially indicated in media comments that these systems were subject to Article 5(3) of the ePrivacy Directive and that consent was required. There is no practical way that the required consent could be obtained, so this would effectively have forced the Danish municipalities to stop their traffic monitoring projects.
In January 2015, a formal request to the Danish Business Authority about the collection of MAC addresses was submitted and the Danish Business Authority rendered a formal decision on the matter which reversed its initial position that the consent requirement of Article 5(3) applies to these systems.