Nameless data can still be personal

[Roland Perry]

In article <49140FD9.2060105@iosis.co.uk>, Peter Tomlinson
<pwt@iosis.co.uk> writes
>"A person does not have to be identifiable by name for details of their
>computer usage to be protected by data protection laws, a senior
>European privacy watchdog has warned."
>
>"Companies which are unsure whether information such as activity or
>server logs or a record of internet protocol (IP) addresses are
>personal data or not should treat it all as personal data, the European
>Union's Data Protection Supervisor Peter Hustinx has said."
>
>Full article at http://www.out-law.com/page-9563

This has been their position for almost ten years [1] (so there isn't
really any "long standing confusion", I'm afraid).

In the EU we say "some IP addresses identify people, so we should treat
all of them as personal data", whereas our friends in the USA say "some
IP addresses cannot be used to identify people, so none of them need be
treated as personal data".

A fundamental difference of approach, and as is often the case in hi-
tech, people often hear about rules/laws and forget they are USA ones.

[1] "The use of the infrastructure is often directly based on the
processing of personal data, such as certain Internet Protocol
addresses."

http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp16en.pdf

and also references in Opinion 136 by the Article 29 Working Party. In
particular example 15 on page 16:

http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.p
df
-- 
Roland Perry