Let’s revisit that old chestnut: “is an IP address you use in an internet session personal data about you?”. The reason: I have just come across two legal references which relate to copyright infringement, where the argument that an IP address is personal data was accepted. (An IP address is the number linked to your connection to the internet so that communications can occur; for instance 68.74.255.92).
The first reference I found was the Monetary Penalty Notice that ACS Law obtained (and the £200K fine that wasn’t; see references). The company, used to send ISPs on a regular basis, a list of IP addresses suspected of being involved in breaches of copyright. (The company went out of business because of its poor security; that is why the eventual penalty was reduced to £1K).
In the ACS Law Monetary Penalty Notice the ICO clearly states:
“The Commissioner understands that the data requests sent to each ISP by the data controller (in this case) were for information populating a spreadsheet containing hundreds and sometimes thousands of IP addresses. …. ISPs responded to the data controller by returning the spreadsheet with all the existing data, together with the name and address of the registered account holder that they had input alongside each entry”.
So the ISPs mentioned above, presumably because they have blocks of IP addresses specifically allocated to them, were able to provide a link between a requested IP address and a specific individual account holder. In this way, the IP address formed part of the personal data each ISP had in its possession.
This point was reinforced with a judicial review concerning the Digital Economy Act 2010 (see references) where it was claimed by many organizations that some regulations enacted by Government were incompatible with a number of provisions of EU law. One part of this argument related to the Data Protection Directive (DPD) 95/46/EC.
The judgment states that, as common ground between the parties, an IP address is personal data. In detail, it states that:
“It is common ground that... (various provisions in the Digital Economy Act)..., are likely to require ISPs to process “personal data” within the meaning of Articles 2(a) and (b) of the DPD. The ISP must link the IP address provided by the copyright owner with an individual subscriber’s name and address, and write to them and compile lists”... (that can be supplied to Third Parties; paragraph 152).
So suppose an ISP allows other organisations to capture or monitor a user’s IP address say for behavioral marketing. As the ISP is processing personal data (see above), isn’t it allowing part of the personal data under its control (e.g. the IP address it has been allocated, and possibly owns, which also relates to the browsing habits of a known individual) to be used for Third Party marketing?
As all Tribunal determinations on Third Party marketing have stated that this needs the prior consent of each data subject (i.e. each and every account holder), shouldn’t the ISP be doing something to alert or protect its customers from the use of their IP addresses for third party marketing? Like getting their consent, perhaps?
Now look at the issue from the standpoint of those behavioral marketers that arrange for a pop-up box to appear after monitoring IP addresses; for convenience, I show examples of these boxes posted on Wiki. What is the purpose of the pop-up box?View this photo Answer of course: “marketing”.
Note that many pop-up boxes shown provide links to enable direct contact with the customer. So where organisations are using/monitoring the IP address to identify potential leads, they know that identifying information about an individual is likely to come into their possession.
If this is the case, then this too falls within the UK Act’s definition of personal data. It follows that personal data are being processed for a marketing purpose, without the data subject having been given the advance choice to opt-out of the marketing purpose (e.g. in a fair processing notice).
Is the release of IP addresses like the release of anonymous statistics?
There are those who would argue that an IP address, by itself, does not identify the individual. In support, they might quote recent judgments about “anonymous statistics”, which appear to suggest that the disclosure of anonymised information, extracted from personal data, is not a release of personal data.
I argue that the position the release of these "anonymous statistics" and IP addresses is not the same and can be distinguished very easily as follows.
Consider the ProLife Alliance FOI request to the DoH for the release of abortion statistics concerning the number of late-term abortions. The DoH refused the request and claimed that the requested information was personal data, the Information Commissioner said the statistics were not personal data, the Tribunal said they were personal data, and Cranston J, in his judgment published in June agreed with the Commissioner (but on different grounds; see references).
Cranston J argued that to consider the requested data as personal data would establish a principle which would prevent any publication of medical statistics, however broad. To justify his position, he then went on to examine whether identifiability was likely (a) in the hands of the data controller and (b) in the hands of recipients who get the statistics. He was satisfied that if identification in the hands of the recipient was “extremely remote”, then the information was not personal data.
Now we come to the difference that distinguishes the disclosure of statistics and the disclosure of IP addresses. With the former, the data controller might be able to identify an individual from the statistics in conjunction with other information in its possession. By contrast, the recipient of the statistical data, following the logic of Cranston J, is remote from making such an identification.
This starkly contrasts with the disclosure or capture of IP addresses. Although an individual cannot be identified from just the IP address, the user or recipient of that IP address has every intent to identify a potential customer as part of his marketing purpose.
Additionally, the holder of the IP address knows that in the hands of the ISP, the IP address defintely forms part of a collection of personal data. With statistics, this point might not be so clear cut; for instance the public authority might create a set of statistics for release under FOI where it cannot perform the back identification.
That is why I am increasingly drawn to the conclusion that IP addresses have to be treated as personal data by behavioral marketers as there is a prior intent to identify the individual behind the IP address.
I am also coming to the conclusion that ISPs can do more to protect its customers from unwanted marketing, especially if they own a block of IP addresses.
References
DP extracts from R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin) can be downloaded. I was put onto this case by the excellent Panopticon Blog http://www.panopticonblog.com/2011/06/14/personal-data-crucial-points-from-the-abortion-statistics-case/)
The Abortion stats case: R (DEPARTMENT OF HEALTH)-v-IC [2011] EWHC April 2011 was discussed in the reference above
ACS Law Ltd Monetary Penalty Notice (10th May 2011) is on the ICO website (http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx#monetarypenalties)
Data Protection/FOI courses
We have an audit and PIA course coming up and a full set of data protection courses in Leeds, London and Edinburgh Our FOI courses are in London (currently underway) and Leeds (in 2012). Details on the Amberhawk site
If we replace the term "IP address" with "home address":
1) Is this a reasonable analogy? I would think so, since a home address and an IP address are used as identifying pieces of information (both refer to an address tied to specific internet/residential "sessions").
2) Is a home address considered "personal information" for copyright purposes, and if so, is it always considered personal information? Consider the case where a person changes addresses numerous times a year, since this is the closet analogy I can think of.
Posted by: otoburb | 20/10/2011 at 10:22 AM
The banking rules in Switzerland state very clearly IP address is PII and must be removed, masked or protected from logs or other data streams if those logs leave the country. A few other countries treat ip address as PII as well.
Swiss Role for the UK?
Posted by: AG | 20/10/2011 at 11:20 PM
Firstly IP addresses are not always personal data. The IP address that www.google.com resolves to for instance, is not personal data, it is the TCP/IP address of a piece of electronics. So an IP address is only personal in that it identifies a piece of electronic equipment that is owned or used by an individual. Every Email I receive has such an item of information. If I did a SAR to a company should they trawl every email for an IP address in case it is mine? If it is personal information then yes. Ah but wait, the email may have passed through my server but not actually sent by me. It has my (personal) IP address embedded in the message but it is personal information of mine?
IP addresses are personal information in some circumstances i.e. when it is intrinsically linked to it's owner. Even then you can often look these up via a WHOIS or DIG. Where an ISP (or phone company, or WiFi hotspot) can identify a customer who has been allocated an IP over a specific period, then it is personal information, if not, it is no more personal information than 'J6 on M8' is personal information.
Posted by: Brian | 21/10/2011 at 01:54 PM