Full Disclosure

[Joel Harrison]

On Wed, Apr 30, 2008 at 7:58 AM, Roland Perry
<lists@internetpolicyagency.com> wrote:
> In article <7b6bd0c90804292254s5dc7172ci66d0b8cbd501c76b@mail.gmail.com>,
> Joel Harrison <joeldharrison@googlemail.com> writes
>
>
> > Inherent in the DPA's definition of personal data is that the
> > information necessary to identify the individual must be in the
> > possession, or be likely to come into the possession, of the data
> > controller.  That's been in the DPA since day one.  Now, that would
> > prevent a dynamically allocated IP address from being personal data in
> > the search engine's hands, because the search engine doesn't have
> > access to the ISP's logs.  It is also arguable that even static IP
> > addresses aren't personal data in the search engine's hands, because
> > the search engine may swear blind that it would never, ever run an IP
> > Whois lookup against the IP address and derive the necessary
> > information about the person to whom the IP address is allocated.
> >
>
>  I disagree with this line of argument in two ways:
>
>  1) It's not relevant whether the IP addresses are Static, Dynamic, or Fixed
> (dynamic technology but assigned an unchanging address). Because it's not
> immediately obvious which is which (in a general case), all must be treated
> the same.
>
>  2) Plenty of IP addresses can be associated with an individual without
> access to the information that an ISP has on file. Archives of mailing lists
> such as this, and Usenet, all contain a rich source of IP addresses. It has
> already been discussed (as a criticism of Phorm) how a search engine can
> come to conclusions about an individual simply from the searches they do,
> with examples. And as in #1 above, because some IP addresses can be traced
> in that way, then all of them should be protected.

By concentrating on what search engines should do in practice,
you're obscuring what I thought were two fairly interesting legal
points (others may disagree!), namely: (1) whether an IP address is
personal data under the DPA depends on what other information the data
controller has or is likely to have, and (2) the UK's implementation
of the Directive on this point may produce a different result from
that in other Member States.

Note also that the DPA looks at what other data is likely to come into
the data controller's possession.  So, a search engine may be "in
possession of" (to use your example) a page from a mailing list
archive that would allow an IP address already in the search engine's
possession to be matched to an individual.  But this is arguably too
broad a transposition of recital 26 of the Directive, which looks at "the
means likely reasonably to be used ... by the controller" - again,
what if the search engine swore blind (backing it up by reference to
internal policies, employee codes of conduct, etc, etc) that it would
never use information retrived from its crawling the web to identify a
person by reference to an IP address already in its possession?  Is
the individual identifiable by the search engine by "means likely
reasonably to be used" by it?

Also, what about web sites other than search engines, who don't crawl
through mailing list postings or Usenet archives?  Are they likely to
come into possession of information that enables them to identify
individuals by reference to IP addresses in their logs?  (Or, in the
language of the Directive, can they identify individuals by means
likely reasonably to be used by them?)

The point I'm making is that this is not a straightforward issue, and
one should not assume that IP addresses will invariably be personal
data.

Joel