Full Disclosure

[Joel Harrison]

On Tue, Apr 29, 2008 at 8:26 PM, Andrew Cormack <Andrew.Cormack@ja.net> wrote:
> And doesn't the recent Article 29WP opinion on google^H^H^H^H^H^Hsearch
>  engines and personal data make the effective definition of personal data
>  even wider? As I read it, though I may be wrong, they seemed to be
>  saying that unless you were sure the identifier couldn't be linked to a
>  person then you had to act as if it could. That's very different from UK
>  law post-Durant, of course.

They said that would be the safe approach, yes.

You're quite right to say that this is different from the UK law (and
that's the subject of the knuckle-rapping from the Commission that I
referred to above), but I don't think that's necessarily a post-Durant
development.

Inherent in the DPA's definition of personal data is that the
information necessary to identify the individual must be in the
possession, or be likely to come into the possession, of the data
controller.  That's been in the DPA since day one.  Now, that would
prevent a dynamically allocated IP address from being personal data in
the search engine's hands, because the search engine doesn't have
access to the ISP's logs.  It is also arguable that even static IP
addresses aren't personal data in the search engine's hands, because
the search engine may swear blind that it would never, ever run an IP
Whois lookup against the IP address and derive the necessary
information about the person to whom the IP address is allocated.

Under the Directive, though, since both the static and dynamic IP
address can be attributed to a person by the ISP (the latter with
barely more effort than the former), IP addresses are capable of being
personal data in the search engine's hands - see the reference to "any
other person" in recital 26 to the Directive.


Joel