Without doubt services such as Google Street View can be useful. Just imagine that you are going for a job-interview in an unfamiliar city-centre; isn’t it useful to know the lay of the land before you travel?
However, away from the city centres, some householders claim that Google’s Street View has invaded their private space by publishing pictures that can zoom through the upstairs windows or into front rooms. Sometimes, privacy campaigners have based their data protection arguments on the processing of images that show shadowy Street View figures in a compromising poses. However, several Privacy Commissioners have come to the view that subject to safeguards associated with data removal, there is no privacy issue.
In general, there is a current, lively debate as to whether data that contains no name but is linked to an Internet user session via an IP address, URL or similar reference number is personal data or not. The stakes are high: if the data are not personal data, then the person who controls the data has almost untrammelled power to decide the nature of the processing. By contrast, if the data are personal data, that controller would be constrained by the data protection obligations that serve to protect the privacy of the individual user concerned.
We have published details that describe a simple test of whether or not certain information linked to an IP address, reference number or URL is personal data. We show that if the individual user concerned provides the service provider (e.g. Google) with the necessary identifying information (easily obtainable as we show), then the data ARE personal data, unambiguously in relation to any future processing. If sufficient individual users each provide the necessary identifying details, then the data linked to ANY individual should be considered to be personal data.
In other words, any individual users can, at any time, seek the protection of a data protection regime by providing the necessary identifying details to any organisation that stores their IP address or URL. This also means that organisations will have to adjust their procedures to take account of the reality that any subsequent processing of URLs or IP addresses, can be, at any time the processing of personal data.
The process, in our view, puts the user in charge of his own privacy – if the user wishes it. We also believe that the technique applies to those who do not live in a “data protected zone” but who user services subject to a privacy policy similar to that of Google; this should be of interest to our cousins in the USA. The full legal analysis plus draft details on the download section of our web-site: amberhawk.com
The document below describes how individuals can protect their internet browsing by engaging a data protection regime. IP addresses and URLs linked to user sessions can be transformed into personal data at any time.
This is extremely interesting. I think it may also have implications for services such as Woopra (see http://bit.ly/rmFqU where I have blogged about it) where a person monitoring web traffic can choose to "speak" unexpectedly to any visitor, or so the blurb says.
I also have a strong objection to Streetview (blogged at http://bit.ly/L3KOR to say so) which also seems dilatory at removing or blurring the things they state that they blur.
Posted by: Tim Trent | 13/07/2009 at 11:14 AM
Interesting idea. On a lot of broadband networks (as privacy advocates have pointed out when arguing that IPs can constitute personal data), you can often have the same IP address for significantly protracted periods; I've been at same IP all year now.
I was wondering if you think it could give extra strength to an IP address user's claim (of ownership over data relating to that address) if they registered a domain with one of the free dynamic IP services (e.g. no-ip.com, dyndns.com etc.) and kept it updated with their ISP-provided IP address as it changed. The ISP might attempt to claim the IP address as its property that it is merely lending to you to use, and assert that it has the right to that data (and even to enter into deals to provide that data for marketing purposes); by having a domain name, I think you'd be tying it more personally to you and your identity through the domain owner role, and as the IP address from your ISP changed over time, you could argue that the changing history of your domain and the IP to which it points constituted an aggregation or collection of data in which you had rights as the creator.
Posted by: DaveK | 14/07/2009 at 04:20 PM
FYI, your trackback URI has an invalid XID. I tried to do a trackback ping for my blog post at http://tech-and-law.blogspot.com/2009/07/make-ip-address-personal-data-reclaim.html commenting on your post, and it wouldn't work.
Posted by: W | 23/07/2009 at 07:20 PM
For an IP address to be personal data, there would have to be a one-to-one relationship between a person and his or her IP address. This is surely not the case.
The IP address that an Internet application sees is only the address of your firewall.* Behind that IP address there may be, and often are, many people: a home, an Internet cafe, a public library or a whole office block full of unconnected individuals all of whom appear to have the same IP address. The IP address of the actual device you're using is likely to be a private one (such as 192.168.x.x) which is unique only within your network. Conversely, many of us move around and have different IP addresses at different times, especially now that Web-based applications make a personal computer less necessary. So it's difficult to see how an IP address can be regarded as private and personal.
______
* There are (amazingly) people who are foolish enough to connect to the Internet without a hardware firewall or even a router. For such people, with one computer connected by an ADSL modem to their broadband connection, their IP address may be unique to them. But they are surely in the minority. It certainly can't be assumed that all users are like that.
Posted by: John Stanning | 25/07/2009 at 10:03 PM
The ISP might attempt to claim the IP address as its property that it is merely lending to you to use, and assert that it has the right to that data (and even to enter into deals to provide that data for marketing purposes)
Posted by: cheap computers canada | 29/01/2010 at 07:06 PM