Nameless data can still be personal

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Sun, 09 Nov 2008 10:23:44 +0000 

Joel Harrison wrote:
> On 7 Nov 2008, at 16:33, Roland Perry <lists@internetpolicyagency.com>
> wrote:
> 
>> In article <49140FD9.2060105@iosis.co.uk>, Peter Tomlinson
>> <pwt@iosis.co.uk> writes
>>> "A person does not have to be identifiable by name for details of their
>>> computer usage to be protected by data protection laws, a senior
>>> European privacy watchdog has warned."
>>>
>>> "Companies which are unsure whether information such as activity or
>>> server logs or a record of internet protocol (IP) addresses are
>>> personal data or not should treat it all as personal data, the European
>>> Union's Data Protection Supervisor Peter Hustinx has said."
>>>
>>> Full article at http://www.out-law.com/page-9563
>>
>> This has been their position for almost ten years [1] (so there isn't
>> really any "long standing confusion", I'm afraid).
>>
>> In the EU we say "some IP addresses identify people, so we should treat
>> all of them as personal data", whereas our friends in the USA say "some
>> IP addresses cannot be used to identify people, so none of them need be
>> treated as personal data".
>>
>> A fundamental difference of approach, and as is often the case in hi-
>> tech, people often hear about rules/laws and forget they are USA ones.
>>
>> [1] "The use of the infrastructure is often directly based on the
>> processing of personal data, such as certain Internet Protocol
>> addresses."
>>
>> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp16en.pdf
>>
>> and also references in Opinion 136 by the Article 29 Working Party. In
>> particular example 15 on page 16:
>>
>> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.p
>> df
>> -- 
>> Roland Perry
>>
> It's worth noting that the UK is out of step with much of the rest of
> the EU on this point.  In the UK an IP address will usually not be
> personal data, other than in the hands of the user's ISP or law
> enforcement officials, because the person processing the data lacks the
> necessary information to identify the user.

This may be because of the confused notion that "identity" means "name
and address and ..."; whereas on any sensible analysis, a text string
identifies a person if it regularly accompanies that person's transactions.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF