In a decision handed down on 8 February 2017, the Conseil d’Etat ruled in favour of the French data protection authority, the CNIL, after it refused to authorise a well-known advertising company to test a new audience measuring tool on the flow of pedestrians in a specific location. The company in question proposed to use WiFi counting boxes placed on billboards to capture the MAC addresses of mobile devices within a range of 25 metres. The purpose of the tool is to count the number of people passing by the billboards, to identify their direction of movement and count the number of repeat visits.
The Conseil d’Etat held that there was insufficient information for data subjects, noting that a proposed information notice would not have been prominent enough to cover the entire range of the tracking device. In addition, the Conseil d’Etat found that the advertising company had not considered data subjects’ rights to object, to access their data and to ask for rectification (however, it was considered that the consent of the data subjects was not required).
The Conseil d’Etat also considered the proposed methods for the anonymisation of data to be problematic. The advertising company argued that it planned to “anonymise” the data by truncating and blurring MAC addresses (according to the “salting” and “hash key” methods).
Thus, according to the company, the risk of identification was negligible. However, it was considered that it was still possible for the administrator to re-identify the data subjects. The anonymisation envisaged was, therefore, incomplete. Moreover, the purpose of the processing, to identify the movements of persons and the number of repeat visits throughout the duration of the test, was considered to be incompatible per se with the anonymisation of the data.