<div dir="ltr"><a href="http://www.out-law.com/en/articles/2016/march/treating-ip-addresses-as-personal-data-is-best-approach-for-businesses-says-expert-/">http://www.out-law.com/en/articles/2016/march/treating-ip-addresses-as-personal-data-is-best-approach-for-businesses-says-expert-/</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br>FOCUS: Businesses should treat IP addresses as being subject to data
protection laws even if the EU's highest court rules that the
information is not to be automatically considered as being personal
data.<br><br>
<h1>Treating IP addresses as personal data is best approach for businesses, says expert </h1>
<div class="">
<p>FOCUS: Businesses should treat IP addresses as being
subject to data protection laws even if the EU's highest court rules
that the information is not to be automatically considered as being
personal data.<span class="">09 Mar 2016</span>
</p>
<div class="">
<ul><li class="">
<a href="http://www.out-law.com/page-348">Data protection</a>
</li><li class="">
<a href="http://www.out-law.com/en/topics/tmt--sourcing/">TMT & Sourcing</a>
</li><li class="">
<a href="http://www.out-law.com/en/regions/europe/uk/">UK</a>
</li><li class="">
<a href="http://www.out-law.com/en/regions/europe/">Europe</a>
</li><li class="">
<a href="http://www.out-law.com/en/regions/europe/germany/">Germany</a>
</li><li class="">
<a href="http://www.out-law.com/en/regions/europe/france/">France</a>
</li></ul>
</div>
</div>
<p>It would be prudent for companies to assume IP addresses are
personal data. This is because of the potential for that data to be used
to identify individual internet users when matched together with other
information.</p>
<p>Companies that treat IP addresses as being outside the scope of data
protection laws run the risk of being fined. Significant financial
penalties of up to 4% of a company's global annual turnover are a
possibility under new EU data protection laws soon to be finalised.</p>
<p>Guidance issued by data protection authorities and a UK court support
a cautious approach being taken to how businesses treat IP addresses.</p>
<p><em>The case before the Court of Justice of the EU (CJEU)</em></p>
<p><a href="http://curia.europa.eu/juris/document/document.jsf?text=&docid=162555&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=294693">The Federal Court of Justice in Germany has asked the CJEU</a>
to help it resolve a dispute before it that concerns whether IP
addresses constitute personal data for the purposes of the EU's Data
Protection Directive. The CJEU recently heard arguments in the case.</p>
<p>The German court has specifically asked the CJEU whether website
operators that store IP addresses when device users connect to their
sites can be said to be handling personal data if the businesses
facilitating those device users' online access – third party internet
service providers (ISPs) – hold "the additional knowledge required in
order to identify the data subject".</p>
<p><em>When is an IP address personal data?</em></p>
<p>Data protection watchdogs and courts have previously looked into
whether IP addresses can identify individuals and therefore qualify as
personal data. The nuanced view offered by these authorities show that
there is often not a simple straight answer to that question.</p>
<p>The Information Commissioner's Office (ICO), the UK's data protection
watchdog, told us that it if an individual can be identified from an IP
address then it would be personal data, but that would not always be
the case and "needs to be judged on a case-by-case basis". As part of
the analysis, organisations need to assess how specific an IP address is
to the device or user, it said.</p>
<p>That approach was accepted by a leading member of the UK judiciary in 2012. In a case before him, <a href="http://www.out-law.com/en/articles/2012/march1/o2-disclosure-ruling-could-impact-on-workings-of-imminent-new-anti-piracy-code-campaigners-say/">Mr Justice Arnold considered whether IP addresses could be relied upon as identifiers of alleged infringers of copyright</a>.
In his ruling the judge granted a rights holder an order which required
O2 to disclose the names and addresses of suspected illegal file
sharers that the rights holder had said it had identified through their
IP addresses.</p>
<p>Mr Justice Arnold said that the IP addresses would help the rights
holders identify "many, but not all" of the illegal file sharers. He
accepted evidence from consumer charity Consumer Focus that relying on
IP addresses as an identifier on their own could lead to individuals
being misidentified as copyright infringers. As a result, he said that
the disclosure order and the proposed letter of claim had to be "framed
so as properly to safeguard the legitimate interests of the [O2
customers], and in particular the interests of [O2 customers] who have
not in fact committed the infringements in question".</p>
<p>The view that device identifiers, like IP addresses, will not always
be personal data when considered in isolation is supported in opinions
issued by the Article 29 Working Party, a body that represents the
various national data protection authorities from across the EU,
including the ICO.</p>
<p>In an opinion in 2014 on <a href="http://www.out-law.com/en/articles/2014/november/cookie-rules-apply-to-alternative-device-fingerprinting-technologies-says-privacy-watchdog/">the application of EU e-Privacy rules to 'device fingerprinting'</a>,
the Working Party referenced the rise of technologies similar to
cookies that enable the tracking of device usage through "the
combination of a set of information elements". The Working Party
explained that these device fingerprints could be considered to be
personal data when matched together with other data, including IP
addresses.</p>
<p>The combination of "information elements", which on their own might
not be sufficient to identify users, can produce a set of data that is
"sufficiently unique (especially when combined with other identifiers
such as the originating IP address) to act as a unique fingerprint for
the device or application instance", the watchdog said.</p>
<p>The same logic applies in reverse – IP addresses might not
necessarily be capable of identifying individuals on their own, but the
ease with which someone can match that data with other potential
identifiers means that IP addresses could then be classed as personal
data.</p>
<p>However, <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf">in 2007 the Working Party had gone further</a>
(26-page / 139KB PDF). It said at the time that unless internet service
providers are "in a position to distinguish with absolute certainty"
that IP addresses "correspond to users that cannot be identified" then
it would need to treat that data as personal data "to be on the safe
side".</p>
<p>Organisations can look for further guidance on the issue from <a href="http://www.out-law.com/en/articles/2012/november/anonymising-personal-data-need-not-guarantee-privacy-says-ico-while-german-watchdog-raises-internet-disclosure-concerns/">the ICO's code of practice on anonymisation</a>.</p>
<p>According to the ICO, organisations do not have to guarantee that
data is 100% anonymised in order for it to be outside of the scope of
the Data Protection Act. Instead the ICO has said that providing there
is no more than a "remote" chance that data subjected to anonymisation
measures can be traced back to individuals then, for the purposes of the
law, that data would be treated as having been anonymised and no longer
'personal' data.</p>
<p>Organisations need to assess the risk of apparently anonymised data
being used to identify individuals when linked with other information.
The ICO said "the risk of identification must be greater than remote and
reasonably likely for information to be classed as personal data". It
said that organisations should consider whether someone, suitably
motivated to do so, "would be able to achieve re-identification" if they
tried. This is known as the motivated intruder test and would help
organisations determine if data was to be classed as personal data or
not, the ICO said.</p>
<p>However, the nuanced approach favoured by the ICO was not reflected in <a href="http://www.out-law.com/en/articles/2014/october/internet-of-things-data-should-be-treated-as-personal-data-say-privacy-watchdogs/">a data protection declaration issued in 2014 by global data privacy watchdogs</a> on the subject of data generated by devices, or 'internet of things' sensor data.</p>
<p>The declaration said: "'Internet of things’ sensor data is high in
quantity, quality and sensitivity. This means the inferences that can be
drawn are much bigger and more sensitive, and identifiability becomes
more likely than not. Considering that the identifiability and
protection of big data already is a major challenge, it is clear that
big data derived from internet of things devices makes this challenge
many times larger. Therefore, such data should be regarded and treated
as personal data."</p>
<p><em>Personal data is a broadening concept</em></p>
<p>Businesses should adopt the same view as expressed in the declaration
when processing IP addresses. This is the prudent approach to take. IP
addresses, as data protection authorities and the courts have
determined, might not always constitute personal data on their own.
However, there is an increasing volume of data being produced and
analytics tools are also becoming more powerful and enabling data that
has previously existed in silos to be interlinked. This makes it easier
than ever before for individual pieces of data to be matched and linked
to individuals.</p>
<p><a href="http://www.out-law.com/en/topics/tmt--sourcing/eu-data-protection-regulation/">The General Data Protection Regulation</a>,
set to overhaul existing EU data protection rules, looks like it will
apply a broad definition of 'personal data' to account for this
technological advancement.</p>
<p>According to one recital in the Regulation, to determine whether data
identifies a person "account should be taken of all the means
reasonably likely to be used, such as singling out, either by the
controller or by any other person to identify the individual directly or
indirectly".</p>
<p>This approach outlined in the Regulation appears to in effect codify
the motivated intruder test that the ICO supports the use of in its
anonymisation code but which is actually not accounted for within the
wording of the Data Protection Act (DPA).</p>
<p>The DPA requires that data controllers consider what information they
have in their possession or are likely to get their hands on when
determining if data is personal data. They must also consider what
personal identifiers a third party data controller holds if they intend
to disclose anonymise data to that organisation to determine if it would
allow for reidentification through data matching. </p>
<p>The DPA does not, though, require data controllers to consider what
efforts are necessary to enable re-identification, just whether data is
available or likely to be available to enable re-identification.</p>
<p>The change in approach, coupled with the potential for significant
fines of up to 4% of annual global turnover to be levied under the new
Regulation and the reputational damage that can arise if personal data
is mishandled, should spur businesses to treat IP addresses as personal
data even if the CJEU does not explicitly state this is necessary in its
forthcoming ruling.</p><br></div></div></div></div></div></div></div></div></div>
</div>