What better way to spend Data Protection Day (yesterday) than having a light-bulb moment; this is especially the case as, at my age, light bulbs tend to go in a different direction.
My thoughts on IP addresses were triggered by the Ryneš ECJ case (domestic purposes exemption does not apply to surveillance of public places from a domestically installed CCTV). I think the Ryneš case strengthens the argument that an IP address is personal data in many instances.
If I am correct, the UK’s Data Protection Act definition of "personal data" is definitely a deficient implementation of the personal data definition in Directive 95/46/EC, In addition, the right to object to marketing to search engines (and perhaps apps on smartphones) follows automatically.
Identifying the data subject
In the ECJ judgments of Google Spain and Ryneš (see references), it was “deft” analysis of the Recitals of the Directive 95/46/EC that helped the Court come to its conclusions. So to start the argument, consider Recital 26 of Directive and the definition of "personal data" in the UK DP Act.
Both concern the question of “whether an individual is identified or identifiable from a set of data?”. If the answer is “yes”, then this ability to identify transforms such “data” into “personal data”. That step is common to both the Directive and the UK Act.
However, Recital 26 states that this identifiability depends on what the data controller and any other person knows.
(26) …”whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person” (my emphasis).
This contrasts with the UK definition of "personal data" which insists that any identifying has to be done by the data controller (and not by “any other person”).
“personal data” means data which relate to a living individual who can be identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller… (my emphasis).
So there’s the difference: with the UK’s DPA definition only the data controller does the identifying.
The Ryneš Judgement
In the Ryneš case, it was explained that Mr. Ryneš used a fixed position camera system to record the entrance to his home, the public footpath and the entrance to the house opposite; the purpose of the system was to protect his home from vandalism. The system had no display unit so Mr. Ryneš could not view the recorded images.
On one occasion a window was broken by a stone, shot from a catapult. The recording was handed to the police who used it in the subsequent criminal proceedings as the video made it possible to identify the culprits. No doubt, Mr. Ryneš would be shown the footage to see if he could identify the individuals; this would most likely be the first thing the police would do.
Obviously if Mr. Ryneš could identify the vandals from the recording (e.g. if they were the neighbour’s children), then there is no question that he is a data controller processing personal data.
This leads to the key question I want to consider: “Is Mr. Ryneš processing personal data when he does not know the identity of the vandals using the catapult?”. This is important because, in the Ryneš judgement, the Court concluded that Mr. Ryneš was a data controller in all the circumstances of the case (i.e. it decided that Mr. Ryneš was definitely processing personal data).
Now apply the tests in the UK DPA definition of personal data to see whether Mr. Ryneš is a data controller:
Does the data relate to a living individual that is identified by Mr. Ryneš from his recording. Answer “No”: Mr. Ryneš has no idea who the vandals are.
Does the data relate to a living individual who can be identified by Mr. Ryneš from his recording and other information which is in the possession of Mr. Ryneš? Answer “No”: Mr. Ryneš has no other information in his possession at the time of recording to identify any individual with the catapult as he hasn’t a clue “who dunnit”.
Does the data relate to a living individual who can be identified by Mr. Ryneš from his recording and other information that is likely to come into his possession at a later stage? Answer “No”: Mr. Ryneš has handed the recording to the police who then identify the culprits. When the vandals are identified by the police, Mr. Ryneš is likely be informed of their identity, but when this happens he does not have the data (as the recording has already been handed over to the police and the data are not in Mr. Ryneš’s possession).
Of course, one can argue “well perhaps at the time of the recording, the vandal with the catapult was potentially identifiable by Mr. Ryneš not by name but by some characteristic or clothing?”. For example, perhaps a vandal has one leg, or was wearing an exceptional, valuable or outstanding piece of clothing (e.g. a shirt in Barnsley Football Cub colours).
Perhaps Mr. Ryneš kept a copy of the recording, so when the police told him who they were prosecuting, he would become a data controller. Who knows?
However, as soon as you argue “identifiability” in conjunction with “perhaps” there is a degree of uncertainty (especially as Mr. Ryneš has no display unit). In the Ryneš judgement, there was no uncertainty; the Court was certain that Mr. Ryneš was processing personal data.
So what has removed this uncertainty? I think it’s Recital 26. For instance, can Mr. Ryneš identify the individual if he takes into account all the means likely reasonably to be used by the police to identify the culprits? Bingo, the answer is “yes”.
Mr. Ryneš is processing personal data because he is making disclosure to the police knowing that the vandals are to be identified by “…all the means likely reasonably to be used ... by …. any other person” (as required by Recital 26; my emphasis).
Now apply this to a search engine that monitors IP addresses (e.g. 22.214.171.124) so that a third party can pay the search engine to display links to the third party’s website (for a marketing purpose).
For instance, if I put a search term into a search engine, I receive links to those third party organisations that have paid the search engine to have their links displayed to me (“pay per click”). If I am interested in the advert, I click on the link.
The third party is a data controller as data subjects (who click on the displayed link) will identify themselves if they want to pay or/and purchase a service. Following the argument above, the search engine is now also a data controller because it is providing access to the IP address to the third party in return for payment, knowing that the third party is likely to identify the individual.
This marketing scenario above is just like Mr. Ryneš when he made a disclosure to the police (third party) knowing the police were likely to make the identification. Just as Mr.Ryneš was found by the ECJ to be processing personal data, so is the search engine.
On October 28, 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes personal data to the ECJ (i.e. when an IP address is stored by an Internet service provider and a third party possesses sufficient additional data to identify the user). If the ECJ follows Ryneš, the answer is most likely going to be “yes”.
And if the answer is yes, there is an absolute right to object to marketing to the search engine.
Do you know what? I am beginning to like Directive 95/46/EC, especially as I am beginning to fear that the Data Protection Regulation might offer data subjects a lower level of privacy protection.
Comment added after posting
Although the above uses the Ryneš case, I do not think that the argument is dependent on Ryneš. It just needs an organisation disclosing a number or code to a third party and knows the third party is to link other details to that number or code to personal data.
Domestic CCTV and Directive 95/46/EC (European Court of Justice (ECJ) Judgment in Case C-212/13 Ryneš): http://amberhawk.typepad.com/amberhawk/2014/12/what-does-the-ecj-ryne%C5%A1-ruling-mean-for-the-domestic-purpose-exemption.html
Google Spain judgement C-131/12: http://amberhawk.typepad.com/amberhawk/2014/05/if-the-european-court-has-established-a-right-to-be-forgotten-it-has-also-established-a-right-to-object-to-marketing.html
German referral on IP addresses to the ECJ: https://www.huntonprivacyblog.com/2014/11/articles/german-court-asks-european-court-justice-ip-addresses-personal-data/ and http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=pm&Datum=2014&Sort=3&nr=69184&pos=0&anz=152
Why the proposed Data Protection Regulation might offer weaker protection than Directive 95/46/EC: http://amberhawk.typepad.com/amberhawk/2014/12/italian-data-protection-regulation-text-exposes-member-states-disharmony-risk-of-weaker-protection-for-data-subjects-increas.html
"Reclaiming Privacy on the Internet" – 2009. An older document that describes how individuals can protect their internet browsing by engaging a data protection regime; IP addresses and URLs linked to user sessions can be transformed into personal data at any time by the user. Does not include the above argument http://www.amberhawk.com/uploads/IPSTREETVIEW.pdf