Recently, there have been a number of highly publicised scandals concerning the loss of personal data in the UK and US. In addition, certain social networking sites published the on-line purchasing behaviour of users and were forced to amend their behaviour in the face of an end user rebellion. In addition the launch of new contextual advertising services that track users searching behaviour on the internet is raising concern.
This has made policing the on-line world and, more particularly, defining the scope and use of personal data in the on-line environment of paramount importance. It is therefore no surprise that debate is under way in Europe as to whether IP addresses should be considered personal data and therefore protected in the same way.
Germany’s Federal Data Protection Commissioner and chairman of an independent EU advisory body which advises the EU on data protection issues voiced the Committee’s view to a meeting of the European Parliament that when an IP address can identify a specific person it should be regarded as personal data and should therefore be protected accordingly. The Committee is currently investigating the extent to which the privacy policies of internet search engines operated by companies such as Google, Yahoo and Microsoft comply with EU privacy law.
In the UK, if information is considered to be personal data, the Data Protection Act 1998 (DPA) applies. The DPA reinforces common sense rules of information handling, which most organisations try to follow anyway, and tries to ensure that organisations manage the personal information they hold in a sensible way. Organisations must keep the information accurate and up to date, only for as long as they need it, and only for a specified purpose. Importantly, any information covered by the DPA must be kept secure.
Search engines, and others, actively record and store IP addresses but contend that this information need not always be treated as personal data. For example, Google has defended the practice by stating that IP addresses, in most instances, merely identify a computer and not a particular individual. Though it did accept that where a specific person could be identified data protection laws should apply.
In Google’s case, the company claims it only collects IP addresses so that it can improve its search relevancy, by using the language used in any given location to help it tailor its results accordingly. Furthermore the company asserts that it collects insufficient information for it to be able to identify the real person behind the IP address. More specifically, Google has stated its belief that where an ISP attributes an IP address to a subscriber and knows their name and address, the IP address should be considered personal data. But, “the IP addresses recorded by every website on the planet should not be considered personal data”.
Google last year announced it had cut the time it keeps search data from 24 to 18 months, most likely in an effort to appease the concerns of the regulators. Similarly, other companies such as Yahoo and Microsoft have also cut their search data retention periods. However, the EU advisory body has commented that such steps still do not go far enough. That said, one needs to not lose sight of the fact that the length of time data is retained for is really a side issue. The main issue is whether data is personal data or not.
Some other search engines have claimed that they keep data as part of their internal security measures and because they may be required to do so under European data retention laws that were designed to combat terrorism. However, the Committee dismissed these as inadequate reasons for keeping personal data.
The Committee acknowledged that some IP addresses may not identify an individual and may not therefore require protection as personal information, for example, computers in internet cafes. However, this position was qualified in that even these computers, if used frequently by the same individual, may be able to identify a particular person and thus, in the Committee's view, require adequate protection.
The most likely way an IP address may be used to identify an individual is via the use of “web cookies” (parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it accesses that server). Web cookies are used by many website operators to track the on-line movements of individuals, thereby increasing the risk that a profile can be formed for any given individual who frequently uses the same IP address.
Thus, an important factor is whether an IP address is static or dynamic. A static IP address is a fixed address, associated with a fixed hardware address. The result of this is that access to the internet is always through the same static IP address. A dynamic IP address, on the other hand, belongs to a pool of IP addresses which are randomly allocated/de-allocated from various hardware addresses so that the user is typically allocated a different IP address each time he goes through the log on process to access the internet. Thus, unless the allocating entity can associate a particular IP address with a particular user at any given time, it is unlikely that a dynamic IP address will be considered to be personal data. This reasoning is echoed in guidance published on the Information Commissioner’s Office in respect of whether IP addresses should be considered personal data under UK law.
However, what if data is not currently linked to an actual person’s name or address? The Information Commissioner considers that where data about a particular web user is built up over a period of time, perhaps through the use of tracking technology, with the intention that it may later be linked to a name and address, that information will still be personal data. Even if the data is compiled in the absence of an intention to link it to a name and address or e-mail address (for example where there is merely an intention to target a particular user with advertising, or to offer discounts when they re-visit a particular web site, on the basis of the profile built up, without any ability to locate that user in the physical world), the Commissioner takes the view that such information is, nevertheless, personal data. Thus, the approach taken by the Commissioner is that, in the context of the on-line world, the information that identifies an individual is that which uniquely locates him in that world, by distinguishing him from others. This is a controversial view and is purely the Information Commissioner’s interpretation. No guidance is given on this issue in either the EU or UK legislation nor is it the subject of any decided case law.
The EU Committee has been debating the above issues for over a year now but is poised to finalise its report in the coming months. Although the report is unlikely to prevent the collection of IP addresses it could well lead to a change in legislation, requiring companies to treat IP addresses as personal data.
If so, companies such as Google would be required to abide by far more stringent regulations. In the UK, that would mean complying with the eight Data Protection Principles laid down by the DPA. Of particular note, the DPA requires companies to obtain permission from all data subjects to process their data and that the data be processed only for a registered purpose. Importantly, there are a limited number of exceptions to the requirement of consent. The most frequently used of these exceptions is where the data processing is essential to fulfil a contractual obligation with the data subject; for example, where the data subject books a hotel room and his personal data then needs to be transmitted to the actual hotel. Hence, if IP addresses are deemed to be personal data, Google and its competitors would be well advised to conduct a thorough examination of (1) any recorded IP addresses; (2) the reasons for recording the same; and (3) any applicable notice procedures.
In addition, if the data is to be stored for any period of time, a similar analysis would need to be carried out regarding that process. Companies would need to ensure that physical, technical and administrative safeguards are in place to adequately protect the stored data.
Where the DPA fails, however, is in enforcement. The sanctions currently available are primarily concerned with bringing an organisation’s future conduct into compliance with the Act. For the most part they do not allow a penalty to be imposed for breaches that have already taken place. Hence, there is presently no effective punishment or deterrent available for those who knowingly or recklessly disregard the requirements of data protection law in the UK in a way that causes a significant risk of harm to individuals. Clearly, this is something which needs to be addressed if a change in the law is forthcoming.
Regardless of the outcome of the report, it is clear that the public is now more sensitive to privacy issues than ever before. With this in mind, even if a change in the law is not forthcoming, companies should think seriously about pro-actively examining their procedures for recording and storing any potentially personal data. Similarly, they should take care to ensure that they fully and clearly disclose their privacy practices to all those persons who may be affected.