I've been mulling over the news Lilian broke on Pangloss about the Article 29 Working Party's view that IP addresses amount to personal data - the point being that if an IP address is a personal data, then anyone collecting or otherwise using IP addresses will be subject to the Data Protection Act (or equivalent legislation in other European jurisdictions).
Now this is a question that I've always thought has a typically lawyery sort of answer: an IP address can amount to personal data, but whether it does will depend on the facts. The Act says (essentially) that personal data means data by which a living individual can be identified (either from those data or with other available information). So if I live alone and have a PC, there's a pretty good chance that I can be identified from my IP address. But if I use a PC in an internet cafe, there's a pretty good chance that I can't be identified from that PC's IP address. In fact, I think that this is rather close to what the Working Party has said (ie an IP address will be personal data if it can be used to identify someone).
Website operators have tended to address the issue by sticking some standard wording about the collection of IP addresses in their privacy policies (see references in the Beeb's here or Mills & Reeve's here, for instance). As long as the use of IP address data doesn't go beyond the obvious, it's unlikely that collecting the information will require consent; the website operators will argue that their have complied with their "fair processing" obligation by notifying users about website logging.
As Pangloss points out, though, this could have interesting implications for the likes of Google. The Working Party's report is due out later this year.
Comments