Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Personal Data - yet another contradictory decision

Wednesday, June 6, 2012 - 10:24

For a while there has been one pair of contradictory answers to the question of whether an IP address was personal data. Two different German courts were asked about addresses in the log of a web server: one said that was personal data, the other said it wasn't.

Now we seem to have another pair. A few months ago a court in Ireland was asked to rule on whether an agency was processing personal data when it examined traffic on a network, identified copyrighted files and reported them, with the originating IP address, to the relevant ISP. The Irish court said that it wasn't (case: EMI Records & Others -v- Eircom Ltd [2010] IEHC 108). Now a Swiss court has been asked the same question and has decided, on the contrary, that the agency is processing personal data, that it has no legal grounds for doing so and must therefore stop its activities (report on NewTeeVee). Switzerland (not part of the EC) has its own privacy law, so perhaps this difference isn't surprising, though in fact the Swiss definition of personal data - "all information relating to an identified or identifiable person" - looks pretty similar to the European one.

But what puzzles me is that, particularly in the copyright enforcement cases, the courts seem to be asking the wrong question. Both Swiss and EC law allow personal data to be processed without the user's consent if the processing is "in the legitimate interests of a natural or legal person, provided that the interests or the rights and freedoms of the data subject are not overriding" (Recital 30 of Directive 95/46/EC). Enforcing copyright is clearly in the interests of the rightsholder (a legal person), so the courts could instead have looked at whether or not those interests were overridden by the rights and freedoms of the individual user. That sort of discussion seems to me much more likely to produce a satisfactory and consistent (or at least justifiably inconsistent) outcome and a useful guide to how to approach a lot of other privacy questions. Unfortunately it seems to be a discussion that isn't taking place at the moment (unless you know differently, of course).