[BreachExchange] Treating IP addresses as personal data is best approach for businesses, says expert

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 9 20:31:21 EST 2016


http://www.out-law.com/en/articles/2016/march/treating-ip-addresses-as-personal-data-is-best-approach-for-businesses-says-expert-/

FOCUS: Businesses should treat IP addresses as being subject to data
protection laws even if the EU's highest court rules that the information
is not to be automatically considered as being personal data.

Treating IP addresses as personal data is best approach for businesses,
says expert

FOCUS: Businesses should treat IP addresses as being subject to data
protection laws even if the EU's highest court rules that the information
is not to be automatically considered as being personal data.09 Mar 2016

   - Data protection <http://www.out-law.com/page-348>
   - TMT & Sourcing <http://www.out-law.com/en/topics/tmt--sourcing/>
   - UK <http://www.out-law.com/en/regions/europe/uk/>
   - Europe <http://www.out-law.com/en/regions/europe/>
   - Germany <http://www.out-law.com/en/regions/europe/germany/>
   - France <http://www.out-law.com/en/regions/europe/france/>

It would be prudent for companies to assume IP addresses are personal data.
This is because of the potential for that data to be used to identify
individual internet users when matched together with other information.

Companies that treat IP addresses as being outside the scope of data
protection laws run the risk of being fined. Significant financial
penalties of up to 4% of a company's global annual turnover are a
possibility under new EU data protection laws soon to be finalised.

Guidance issued by data protection authorities and a UK court support a
cautious approach being taken to how businesses treat IP addresses.

*The case before the Court of Justice of the EU (CJEU)*

The Federal Court of Justice in Germany has asked the CJEU
<http://curia.europa.eu/juris/document/document.jsf?text=&docid=162555&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=294693>
to help it resolve a dispute before it that concerns whether IP addresses
constitute personal data for the purposes of the EU's Data Protection
Directive. The CJEU recently heard arguments in the case.

The German court has specifically asked the CJEU whether website operators
that store IP addresses when device users connect to their sites can be
said to be handling personal data if the businesses facilitating those
device users' online access – third party internet service providers (ISPs)
– hold "the additional knowledge required in order to identify the data
subject".

*When is an IP address personal data?*

Data protection watchdogs and courts have previously looked into whether IP
addresses can identify individuals and therefore qualify as personal data.
The nuanced view offered by these authorities show that there is often not
a simple straight answer to that question.

The Information Commissioner's Office (ICO), the UK's data protection
watchdog, told us that it if an individual can be identified from an IP
address then it would be personal data, but that would not always be the
case and "needs to be judged on a case-by-case basis". As part of the
analysis, organisations need to assess how specific an IP address is to the
device or user, it said.

That approach was accepted by a leading member of the UK judiciary in 2012.
In a case before him, Mr Justice Arnold considered whether IP addresses
could be relied upon as identifiers of alleged infringers of copyright
<http://www.out-law.com/en/articles/2012/march1/o2-disclosure-ruling-could-impact-on-workings-of-imminent-new-anti-piracy-code-campaigners-say/>.
In his ruling the judge granted a rights holder an order which required O2
to disclose the names and addresses of suspected illegal file sharers that
the rights holder had said it had identified through their IP addresses.

Mr Justice Arnold said that the IP addresses would help the rights holders
identify "many, but not all" of the illegal file sharers. He accepted
evidence from consumer charity Consumer Focus that relying on IP addresses
as an identifier on their own could lead to individuals being misidentified
as copyright infringers. As a result, he said that the disclosure order and
the proposed letter of claim had to be "framed so as properly to safeguard
the legitimate interests of the [O2 customers], and in particular the
interests of [O2 customers] who have not in fact committed the
infringements in question".

The view that device identifiers, like IP addresses, will not always be
personal data when considered in isolation is supported in opinions issued
by the Article 29 Working Party, a body that represents the various
national data protection authorities from across the EU, including the ICO.

In an opinion in 2014 on the application of EU e-Privacy rules to 'device
fingerprinting'
<http://www.out-law.com/en/articles/2014/november/cookie-rules-apply-to-alternative-device-fingerprinting-technologies-says-privacy-watchdog/>,
the Working Party referenced the rise of technologies similar to cookies
that enable the tracking of device usage through "the combination of a set
of information elements". The Working Party explained that these device
fingerprints could be considered to be personal data when matched together
with other data, including IP addresses.

The combination of "information elements", which on their own might not be
sufficient to identify users, can produce a set of data that is
"sufficiently unique (especially when combined with other identifiers such
as the originating IP address) to act as a unique fingerprint for the
device or application instance", the watchdog said.

The same logic applies in reverse – IP addresses might not necessarily be
capable of identifying individuals on their own, but the ease with which
someone can match that data with other potential identifiers means that IP
addresses could then be classed as personal data.

However, in 2007 the Working Party had gone further
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf>
(26-page / 139KB PDF). It said at the time that unless internet service
providers are "in a position to distinguish with absolute certainty" that
IP addresses "correspond to users that cannot be identified" then it would
need to treat that data as personal data "to be on the safe side".

Organisations can look for further guidance on the issue from the ICO's
code of practice on anonymisation
<http://www.out-law.com/en/articles/2012/november/anonymising-personal-data-need-not-guarantee-privacy-says-ico-while-german-watchdog-raises-internet-disclosure-concerns/>
.

According to the ICO, organisations do not have to guarantee that data is
100% anonymised in order for it to be outside of the scope of the Data
Protection Act. Instead the ICO has said that providing there is no more
than a "remote" chance that data subjected to anonymisation measures can be
traced back to individuals then, for the purposes of the law, that data
would be treated as having been anonymised and no longer 'personal' data.

Organisations need to assess the risk of apparently anonymised data being
used to identify individuals when linked with other information. The ICO
said "the risk of identification must be greater than remote and reasonably
likely for information to be classed as personal data". It said that
organisations should consider whether someone, suitably motivated to do so,
"would be able to achieve re-identification" if they tried. This is known
as the motivated intruder test and would help organisations determine if
data was to be classed as personal data or not, the ICO said.

However, the nuanced approach favoured by the ICO was not reflected in a
data protection declaration issued in 2014 by global data privacy watchdogs
<http://www.out-law.com/en/articles/2014/october/internet-of-things-data-should-be-treated-as-personal-data-say-privacy-watchdogs/>
on the subject of data generated by devices, or 'internet of things' sensor
data.

The declaration said: "'Internet of things’ sensor data is high in
quantity, quality and sensitivity. This means the inferences that can be
drawn are much bigger and more sensitive, and identifiability becomes more
likely than not. Considering that the identifiability and protection of big
data already is a major challenge, it is clear that big data derived from
internet of things devices makes this challenge many times larger.
Therefore, such data should be regarded and treated as personal data."

*Personal data is a broadening concept*

Businesses should adopt the same view as expressed in the declaration when
processing IP addresses. This is the prudent approach to take. IP
addresses, as data protection authorities and the courts have determined,
might not always constitute personal data on their own. However, there is
an increasing volume of data being produced and analytics tools are also
becoming more powerful and enabling data that has previously existed in
silos to be interlinked. This makes it easier than ever before for
individual pieces of data to be matched and linked to individuals.

The General Data Protection Regulation
<http://www.out-law.com/en/topics/tmt--sourcing/eu-data-protection-regulation/>,
set to overhaul existing EU data protection rules, looks like it will apply
a broad definition of 'personal data' to account for this technological
advancement.

According to one recital in the Regulation, to determine whether data
identifies a person "account should be taken of all the means reasonably
likely to be used, such as singling out, either by the controller or by any
other person to identify the individual directly or indirectly".

This approach outlined in the Regulation appears to in effect codify the
motivated intruder test that the ICO supports the use of in its
anonymisation code but which is actually not accounted for within the
wording of the Data Protection Act (DPA).

The DPA requires that data controllers consider what information they have
in their possession or are likely to get their hands on when determining if
data is personal data. They must also consider what personal identifiers a
third party data controller holds if they intend to disclose anonymise data
to that organisation to determine if it would allow for reidentification
through data matching.

The DPA does not, though, require data controllers to consider what efforts
are necessary to enable re-identification, just whether data is available
or likely to be available to enable re-identification.

The change in approach, coupled with the potential for significant fines of
up to 4% of annual global turnover to be levied under the new Regulation
and the reputational damage that can arise if personal data is mishandled,
should spur businesses to treat IP addresses as personal data even if the
CJEU does not explicitly state this is necessary in its forthcoming ruling.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/7527792d/attachment-0001.html>


More information about the BreachExchange mailing list