Are IP addresses personal data?
ACS Law ruling raises some interesting questions
Let’s revisit that old chestnut: “Is an IP address you use in an internet session personal data about you?” The reason: I have just come across two legal references which relate to copyright infringement where the argument that an IP address is personal data was accepted.
The first reference I found was the Monetary Penalty Notice that ACS Law obtained (and the £200K fine that later became a £1k fine...). The company used to send ISPs a list of IP addresses suspected of being involved in breaches of copyright on a regular basis. (The company went out of business because of its poor security, which is why the eventual penalty was reduced to £1K).
In the ACS Law Monetary Penalty Notice, the Information Commissioner's Office (ICO) clearly states:
The Commissioner understands that the data requests sent to each ISP by the data controller (in this case) were for information populating a spreadsheet containing hundreds and sometimes thousands of IP addresses. ... ISPs responded to the data controller by returning the spreadsheet with all the existing data, together with the name and address of the registered account holder that they had input alongside each entry.
So the ISPs mentioned above, presumably because they have blocks of IP addresses specifically allocated to them, were able to provide a link between a requested IP address and a specific individual account-holder. In this way, the IP address formed part of the personal data each ISP had in its possession.
This point was reinforced with a judicial review concerning the Digital Economy Act 2010, where it was claimed by many organiSations that some regulations enacted by Government were incompatible with a number of provisions of EU law. One part of this argument related to the Data Protection Directive (DPD) 95/46/EC.
The judgement states that, as common ground between the parties, an IP address is personal data. In detail, it states that:
It is common ground that... (various provisions in the Digital Economy Act)... are likely to require ISPs to process “personal data” within the meaning of Articles 2(a) and (b) of the DPD. The ISP must link the IP address provided by the copyright owner with an individual subscriber’s name and address, and write to them and compile lists... [that can be supplied to Third Parties – paragraph 152].
So suppose an ISP allows other organisations to capture or monitor a user’s IP address, eg, for the purpose of behavioral marketing. As the ISP is processing personal data (see above), isn’t it allowing part of the personal data under its control (eg, the IP address it has been allocated, and possibly owns, which also relates to the browsing habits of a known individual) to be used for third party marketing?
As all Tribunal determinations on third party marketing have stated that this needs the prior consent of each data subject (ie, each and every account-holder), shouldn’t the ISP be doing something to alert or protect its customers from the use of their IP addresses for third party marketing? Like getting their consent, perhaps?
Now look at the issue from the standpoint of those behavioral marketeers that arrange for a pop-up box to appear after monitoring IP addresses; for convenience, I show examples of these boxes posted on Wiki. What is the purpose of the pop-up box? Answer, of course, “marketing”.
Note that many pop-up boxes shown provide links to enable direct contact with the customer. So where organisations are using/monitoring the IP address to identify potential leads, they know that identifying information about an individual is likely to come into their possession.
If this is the case, then this too falls within the UK Act’s definition of personal data. It follows that personal data is being processed for a marketing purpose, without the data subject having been given the advance choice to opt out of the marketing purpose (eg, in a fair processing notice).
Is the release of IP addresses like the release of anonymous statistics?
There are those who would argue that an IP address, by itself, does not identify the individual. In support, they might quote recent judgements about “anonymous statistics”, which appear to suggest that the disclosure of anonymised information, extracted from personal data, is not a release of personal data.
I argue that the position the release of these "anonymous statistics" and IP addresses is not the same and can be distinguished very easily as follows.
Consider the ProLife Alliance Freedom of Information request to the Department of Health (DoH) for the release of abortion statistics concerning the number of late-term abortions. The DoH refused the request and claimed that the requested information was personal data, the Information Commissioner said the statistics were not personal data, the Tribunal said they were personal data, and Cranston J, in his judgement published in June, agreed with the Commissioner (but on different grounds).
Cranston J argued that to consider the requested data as personal data would establish a principle, which would prevent any publication of medical statistics, however broad. To justify his position, he then went on to examine whether identifiability was likely (a) in the hands of the data controller and (b) in the hands of recipients who get the statistics.
He was satisfied that if identification in the hands of the recipient was “extremely remote”, then the information was not personal data.
Now we come to the difference that distinguishes the disclosure of statistics and the disclosure of IP addresses. With the former, the data controller might be able to identify an individual from the statistics in conjunction with other information in its possession. By contrast, the recipient of the statistical data, following the logic of Cranston J, is remote from making such an identification.
This starkly contrasts with the disclosure or capture of IP addresses. Although an individual cannot be identified from just the IP address, the user or recipient of that IP address has every intent to identify a potential customer as part of his marketing purpose.
Additionally, the holder of the IP address knows that in the hands of the ISP, the IP address definitely forms part of a collection of personal data. With statistics, this point might not be so clear-cut: for instance the public authority might create a set of statistics for release under FOI where it cannot perform the back-identification.
That is why I am increasingly drawn to the conclusion that IP addresses have to be treated as personal data by behavioral marketers, as there is a prior intent to identify the individual behind the IP address.
I am also coming to the conclusion that ISPs can do more to protect their customers from unwanted marketing, especially if they own a block of IP addresses.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
- DP extracts from R (BT & Anor) v The Secretary of State for Business, Innovation and Skills  EWHC 1021 (Admin) can be downloaded at the Panopticon blog here.
- The Abortion stats case: R (DEPARTMENT OF HEALTH)-v-IC  EWHC April 2011 was also discussed in the same article.
- The ACS Law Ltd Monetary Penalty Notice (10 May 2011) is on the ICO website.
Sponsored: Becoming a Pragmatic Security Leader