[governance] IP Addresses Are Personal Data, E.U. Regulator Says

Andrea Glorioso andrea at digitalpolicy.it
Thu Jan 24 03:36:27 EST 2008 

Dear all,

>>>>> "Karl" == Karl Auerbach <karl at cavebear.com> writes:

    > yehudakatz at mailinator.com wrote:
    >> IP Addresses Are Personal Data, E.U. Regulator Says The
    >> Washington Post

    >> BRUSSELS -- IP addresses, strings of numbers that identify
    >> computers on the Internet, should generally be regarded as
    >> personal information

    > If that is the case then one must question whether an ISP or
    > core provider's use of a person's IP address to generate a TCP
    > Reset packet (for the purpose of, for example, "slowing"
    > bittorrent traffic) is a usurpation of that personally
    > identifiable information.

I am surprised that this point raised so many eyebrows (not
particularly on this list, but on other ones that I follow).

First of all, the opinion of Scharr - which is actually the opinion of
the Working Party 29 (WP29) which is composed of the data protection
officers of all EU member states - is advisory only and does not have
the force of binding law.

Second, the fact that the WP29 considered an IP address to be "personal
data" in the sense of the relevant European data protection Directives
has been known since some time - the WP29 has already issued some
opinions on this particular point (I can provide the references if
somebody is interested).  Again, these are *opinions*, not binding
laws, although they do have a certain weight.

Regarding Karl Auerbach's scenario, which I believe refers to the
Comcast "incident" in the US, legally speaking it would probably fall
under the "processing of personal data" pusuant to Directive 95/46/EC,
art. 2(b) 

  "processing of personal data'('processing') shall mean any operation
  or set of operations which is performed upon personal data, whether
  or not by automatic means, such as collection, recording,
  organization, storage, adaptation or alteration, retrieval,
  consultation, use, disclosure by transmission, dissemination or
  otherwise making available, alignment or combination, blocking,
  erasure or destruction",

art. 6 and art. 7 

  "Member States shall provide that personal data may be processed
  only if: (a) the data subject has unambiguously given his consent;
  or (b) processing is necessary for the performance of a contract to
  which the data subject is party or in order to take steps at the
  request of the data subject prior to entering into a contract; or
  (c) processing is necessary for compliance with a legal obligation
  to which the controller is subject; or (d) processing is necessary
  in order to protect the vital interests of the data subject; or (e)
  processing is necessary for the performance of a task carried out in
  the public interest or in the exercise of official authority vested
  in the controller or in a third party to whom the data are
  disclosed; or (f) processing is necessary for the purposes of the
  legitimate interests pursued by the controller or by the third party
  or parties to whom the data are disclosed, except where such
  interests are overridden by the interests for fundamental rights and
  freedoms of the data subject which require protection under Article
  1 (1)".

But of course the Comcast incident took place in the US, not in the EU
(for now :).

Incidentally, once might also argue that deep-packet inspection
("network neutrality" anyone?)   breaches data protection laws across
Europe, unless there is a clear consent from the end-user.  Care to
guess how many ISPs in the EU actually do request that "clear
consent"?

Ciao,

--
      Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/
          M: +32-488-409-055         F: +39-051-930-31-133
   "Every honest researcher I know admits he's just a professional
   amateur. He's doing whatever he's doing for the first time. That
  makes him an amateur. He has sense enough to know that he's going
     to have a lot of trouble, so that makes him a professional."
		Charles Franklin Kettering (1876-1958)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080124/85e76f2b/attachment.sig>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: message-footer.txt
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080124/85e76f2b/attachment.txt>

More information about the Governance mailing list