Czech Republic: Public Wi-Fi Networks and GDPR


As the effective date of the General Data Protection Regulation (the “GDPR”) in May 2018 draws nearer, the media supply us with a growing number of informed and less informed articles on the allegedly problematic aspects of the regulation. A nationwide TV station has introduced a more or less regular news section in which it warns that after 25 May 2018, its journalistic options will be greatly reduced, among other things with regard to sharing information on serious criminal offences and their perpetrators. These news are being confirmed by various „experts“, some of them legal professionals, some of them not. However, most such information is, delicately put, inaccurate. The topic also became popular with a number of politicians who, apparently without any deeper knowledge of the GDPR, do not hesitate to express extensive criticism. It is of course legitimate to fight against excessive regulation; however, the fight would be more convincing if the critics had at least an elementary level of knowledge of the matter.

Recently, a national web daily[1] brought “doom saying” news that the GDPR will prevent providers of public Wi-Fi networks (i.e. free access points), such as hotels, restaurants or hospitals from offering password-unprotected Wi-Fi networks to their customers. The author of the article argues that providing such a network would per se violate the new regulation. The article, named “Restaurants and hotels offering unprotected publicly available Wi-Fi networks face devastating penalties”, included the following quotes: “restaurants, bars, schools and companies should know of everyone connecting to their network and should have a control over where their password is available”, „the law says that Wi-Fi network providers should be able to identify any person sending false alarm reports or illegal content through their Wi-Fi network. If they run an unprotected network, they risk civil lawsuits and, in the worst case, criminal prosecution for complicity. Penalties up to twenty million euros may be imposed for the breach of the GDPR.” or „a protected network is not only a global standard, but under the GDPR, a necessity”. Although it is clear that the GDPR does introduce new obligations for controllers and processors of personal data and that the regulation is rather extensive and complex, it is at the same time necessary to add that a number of obligations required by the GDPR have already been in existence (and widely ignored) for the last 20 years and that the GDPR merely reintroduces them. It is also necessary to note that information conveyed by the above quotes is usually very far from reality.

At the end of February, the Office for Personal Data Protection officially denied and challenged conclusions made in the above-mentioned article. One such conclusion was that the GDPR requires that all Wi-Fi networks shall be protected by a password. That is clearly not true. The Office rightly argues that the protection of privacy is based on the „informational self-determination of data subjects“, which means that personal data are irreversibly vested in the data subjects and it is in the first place up to the data subjects themselves to decide to whom they will provide them. It is therefore fully in the individuals’ discretion whether they will decide to use someone else’s unprotected network. The Office also correctly points out that the GDPR applies to personal data processing in electronic communication networks only to the extent not regulated by other legislation, namely the 2002/58/EC Directive on Privacy and Electronic Communications. This Directive has been effective in the Czech Republic for several years and implemented by Act no. 127/2005 Sb., on Electronic Communications, and Act no. 480/2004 Sb., on Services of Information Society. The Office also informs that discussions are currently being held at the EU level to replace the Directive on Privacy and Electronic Communications by a new regulation (other than the GDPR). In response to the article, the Office further states that a Wi-Fi network provider naturally knows (or is able to know, if it monitors the network) of each connected user. However, filtering or monitoring messages (in order to detect a false alarm report or otherwise illegal content) is not the network provider’s duty. Actually, if the network provider tracked the contents of communications sent through the network, it could be liable for violation of private communication, which may be a criminal offence.

Certain points and marginal conclusions made by the Office could be questioned as well, for instance its categorical opinion on the difference between criminal and administrative liability. This is however not relevant for the issues mentioned above.

The Office finally provides its view on the amount of penalty which may be imposed for running an unprotected Wi-Fi network. This view should be perceived in a wider context as it can indicate how, in the future, the Czech regulatory authority will approach sanctions under the GDPR. Obligations arising out of running a public Wi-Fi network are, according to the Office, primarily regulated by Czech legislation, and will, in the future, fall within the scope of the new regulation on privacy and electronic communications. Information provided in the above-mentioned article is therefore misleading. According to the regulatory authority, even when sanctions are imposed under the GDPR, there is usually no risk of a penalty up to „twenty million euros“. The amount of the penalty shall be proportionate to the gravity of the offence (Article 83 (1) of the GDPR), which means that running an unprotected Wi-Fi network, even if it were an offence, would in no way be sanctioned by a penalty of EUR 20,000,000, but rather by a penalty ten thousand times lower (i.e. around tens of thousands of Czech crowns).