Without doubt services such as Google Street View can be useful. Just imagine that you are going for a job-interview in an unfamiliar city-centre; isn’t it useful to know the lay of the land before you travel?
However, away from the city centres, some householders claim that Google’s Street View has invaded their private space by publishing pictures that can zoom through the upstairs windows or into front rooms. Sometimes, privacy campaigners have based their data protection arguments on the processing of images that show shadowy Street View figures in a compromising poses. However, several Privacy Commissioners have come to the view that subject to safeguards associated with data removal, there is no privacy issue.
In general, there is a current, lively debate as to whether data that contains no name but is linked to an Internet user session via an IP address, URL or similar reference number is personal data or not. The stakes are high: if the data are not personal data, then the person who controls the data has almost untrammelled power to decide the nature of the processing. By contrast, if the data are personal data, that controller would be constrained by the data protection obligations that serve to protect the privacy of the individual user concerned.
We have published details that describe a simple test of whether or not certain information linked to an IP address, reference number or URL is personal data. We show that if the individual user concerned provides the service provider (e.g. Google) with the necessary identifying information (easily obtainable as we show), then the data ARE personal data, unambiguously in relation to any future processing. If sufficient individual users each provide the necessary identifying details, then the data linked to ANY individual should be considered to be personal data.
In other words, any individual users can, at any time, seek the protection of a data protection regime by providing the necessary identifying details to any organisation that stores their IP address or URL. This also means that organisations will have to adjust their procedures to take account of the reality that any subsequent processing of URLs or IP addresses, can be, at any time the processing of personal data.
The document below describes how individuals can protect their internet browsing by engaging a data protection regime. IP addresses and URLs linked to user sessions can be transformed into personal data at any time.