Nameless data can still be personal

Joel Harrison ukcrypto at chiark.greenend.org.uk
Sun, 9 Nov 2008 12:17:00 +0000 

On 9 Nov 2008, at 11:38, "Andrew Cormack" <Andrew.Cormack@ja.net> wrote:

>> -----Original Message-----
>> From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-
>> admin@chiark.greenend.org.uk] On Behalf Of Joel Harrison
>> Sent: 08 November 2008 14:32
>> To: ukcrypto@chiark.greenend.org.uk
>> Subject: Re: Nameless data can still be personal
>>
>> On 7 Nov 2008, at 16:33, Roland Perry
>> <lists@internetpolicyagency.com>
>> wrote:
>>
>>> In article <49140FD9.2060105@iosis.co.uk>, Peter Tomlinson
>>> <pwt@iosis.co.uk> writes
>>>> "A person does not have to be identifiable by name for details
>> of
>>>> their
>>>> computer usage to be protected by data protection laws, a senior
>>>> European privacy watchdog has warned."
>>>>
>>>> "Companies which are unsure whether information such as activity
>> or
>>>> server logs or a record of internet protocol (IP) addresses are
>>>> personal data or not should treat it all as personal data, the
>>>> European
>>>> Union's Data Protection Supervisor Peter Hustinx has said."
>>>>
>>>> Full article at http://www.out-law.com/page-9563
>>>
>>> This has been their position for almost ten years [1] (so there
>> isn't
>>> really any "long standing confusion", I'm afraid).
>>>
>>> In the EU we say "some IP addresses identify people, so we should
>>> treat
>>> all of them as personal data", whereas our friends in the USA say
>>> "some
>>> IP addresses cannot be used to identify people, so none of them
>> need
>>> be
>>> treated as personal data".
>>>
>>> A fundamental difference of approach, and as is often the case in
>> hi-
>>> tech, people often hear about rules/laws and forget they are USA
>> ones.
>>>
>>> [1] "The use of the infrastructure is often directly based on the
>>> processing of personal data, such as certain Internet Protocol
>>> addresses."
>>>
>>>
>> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp16e
>> n.pdf
>>>
>>> and also references in Opinion 136 by the Article 29 Working
>> Party. In
>>> particular example 15 on page 16:
>>>
>>>
>> http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136
>> _en.p
>>> df
>>> --
>>> Roland Perry
>>>
>> It's worth noting that the UK is out of step with much of the rest
>> of
>> the EU on this point.  In the UK an IP address will usually not be
>> personal data, other than in the hands of the user's ISP or law
>> enforcement officials, because the person processing the data lacks
>> the necessary information to identify the user.
>
> Joel
> If you have a reference for the fact that IP addresses aren't personal
> data in the UK then I'd love to know it.
>
> As far as I can see the only difference in the text of UK and EU law  
> is
> that the UK has an additional "likely", when saying that the  
> information
> has to be linkable either itself or in association with information
> likely to be available to the data controller.
There's another profound difference, which is that the Directive  
refers to means likely reasonably to be used by the controller *or any  
other person* (see recital 26), whereas the Act refers to what is, or  
is likely to be, in the possession of the *data controller*. That is  
hugely significant, and the reason why the analysis is different in  
English law.


> So it appears that we may
> be slightly less strict than the directive in allowing highly unlikely
> circumstances (e.g. you buy the disk containing the linking  
> information
> on eBay...) to influence whether or not something is personal data.
Less strict, but also different. Under the Act, if you are in  
possession of the linking information but it's so heavily buried in  
other data that you're highly unlikely ever to consult it, that's  
still personal data.  Under the Directive, it theoretically depends  
how likely it is that you'll consult that data (although I wouldn't  
stretch that too far).


>
> However the Article 29 WP's guidance seems to suggest that such  
> unlikely
> events are not sufficient to make the information personal, so they  
> may
> be reading in some likelihood test anyway.
>
> This also seems to be the logic of the Munich court, in finding that  
> it
> would require a breach of the law (by the ISP) for a server operator  
> to
> learn the identity of the temporary owners of IP addresses, and that  
> is
> apparently either impossible or unlikely in Bavaria...
>
> Incidentally *anyone* who controls personal data is a data controller:
> there doesn't have to be just one DC for each item of personal data.  
> So
> if personal data escapes from its original controller, in a form that
> makes it still personal, then as far as I can see the recipient is a
> data controller too.
>
That is correct.

> Andrew
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
>
>