Nameless data can still be personal
Joel Harrison
ukcrypto at chiark.greenend.org.uk
Sat, 8 Nov 2008 14:32:02 +0000
On 7 Nov 2008, at 16:33, Roland Perry <lists@internetpolicyagency.com>
wrote:
> In article <49140FD9.2060105@iosis.co.uk>, Peter Tomlinson
> <pwt@iosis.co.uk> writes
>> "A person does not have to be identifiable by name for details of
>> their
>> computer usage to be protected by data protection laws, a senior
>> European privacy watchdog has warned."
>>
>> "Companies which are unsure whether information such as activity or
>> server logs or a record of internet protocol (IP) addresses are
>> personal data or not should treat it all as personal data, the
>> European
>> Union's Data Protection Supervisor Peter Hustinx has said."
>>
>> Full article at http://www.out-law.com/page-9563
>
> This has been their position for almost ten years [1] (so there isn't
> really any "long standing confusion", I'm afraid).
>
> In the EU we say "some IP addresses identify people, so we should
> treat
> all of them as personal data", whereas our friends in the USA say
> "some
> IP addresses cannot be used to identify people, so none of them need
> be
> treated as personal data".
>
> A fundamental difference of approach, and as is often the case in hi-
> tech, people often hear about rules/laws and forget they are USA ones.
>
> [1] "The use of the infrastructure is often directly based on the
> processing of personal data, such as certain Internet Protocol
> addresses."
>
> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp16en.pdf
>
> and also references in Opinion 136 by the Article 29 Working Party. In
> particular example 15 on page 16:
>
> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.p
> df
> --
> Roland Perry
>
It's worth noting that the UK is out of step with much of the rest of
the EU on this point. In the UK an IP address will usually not be
personal data, other than in the hands of the user's ISP or law
enforcement officials, because the person processing the data lacks
the necessary information to identify the user.
Joel