IP Addresses and Data Protection

An Occasionally Asked Question (an OAQ?) is "are IP addresses personal data?". That question is probably too broad to ever get a simple answer, but a recent decision by the Irish High Court  (EMI Records & Others v Eircom Ltd [2010] IEHC 108) has at least answered the related question "are logs indexed by IP address always personal data?". And the answer to that question (at least in Ireland, though their Data Protection law is very similar to ours), is now "no".

Of course there are a lot of situations where such logs will be personal data: most obviously where the same organisation also has records of logins and DHCP allocations. Even if the organisation holding the logs cannot make a direct link from IP address to individual, some logs may contain sufficient information to create a significant risk of indirect identification - if you are trying to conceal your identity then don't do vanity searches for your own name! With enough information, even supposedly anonymised data sets can reveal patterns identifying a single individual, as the New York Times discovered a few years ago. Anyone collecting logs needs to take good care of them.

However the Irish court was asked by its Data Protection Commissioner to consider the particular situation where a monitoring agency, working on behalf of rightsholders, was inspecting Internet traffic to detect illegal sharing of copyrighted music. When a copyrighted track was detected, the agency sent the IP address to the ISP under an agreement with rightsholders. As in the discussion above, it was not questioned that the IP address information was personal data in the hands of the ISP. However the court decided that the addresses were not personal data when held by the monitoring agency, since it was "not at all likely" that either the agency or rightsholders would attempt to determine the identities of the users of the addresses. The court does not appear to have considered whether sufficient information about someone's taste in music might allow them to be identified indirectly ;-)

Although this is an Irish case, the Irish law definition of personal data is very similar to that in UK law:

Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller (Ireland Data Protection Act 1988 s1(1))

Data which relate to a living individual who can be identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (UK Data Protection Act 1998 s1(1))

This is the first case I have come across that considered whether information can change its status under Data Protection law depending on who holds it. Its conclusion is that this is possible. It also appears to recognise pseudonymous identifiers (such as IP addresses) as something that with sufficient technical and procedural measures can deliver the privacy protection required by data protection law.

It's clear that a lot more work will be needed on how "sufficient" measures might be defined (I'm not convinced that knowing someone's searches and knowing their music tastes are so different in privacy terms), but an approach along these risk-based lines seems more likely to cope with the on-line world. A lot of our activities, from access management to internet security, could be legally simplified if the current revision of EU Data Protection law moves in that direction.