It would be prudent for companies to assume IP addresses are personal data. This is because of the potential for that data to be used to identify individual internet users when matched together with other information.
Companies that treat IP addresses as being outside the scope of data protection laws run the risk of being fined. Significant financial penalties of up to 4% of a company's global annual turnover are a possibility under new EU data protection laws soon to be finalised.
Guidance issued by data protection authorities and a UK court support a cautious approach being taken to how businesses treat IP addresses.
The case before the Court of Justice of the EU (CJEU)
The Federal Court of Justice in Germany has asked the CJEU to help it resolve a dispute before it that concerns whether IP addresses constitute personal data for the purposes of the EU's Data Protection Directive. The CJEU recently heard arguments in the case.
The German court has specifically asked the CJEU whether website operators that store IP addresses when device users connect to their sites can be said to be handling personal data if the businesses facilitating those device users' online access – third party internet service providers (ISPs) – hold "the additional knowledge required in order to identify the data subject".
When is an IP address personal data?
Data protection watchdogs and courts have previously looked into whether IP addresses can identify individuals and therefore qualify as personal data. The nuanced view offered by these authorities show that there is often not a simple straight answer to that question.
The Information Commissioner's Office (ICO), the UK's data protection watchdog, told us that it if an individual can be identified from an IP address then it would be personal data, but that would not always be the case and "needs to be judged on a case-by-case basis". As part of the analysis, organisations need to assess how specific an IP address is to the device or user, it said.
That approach was accepted by a leading member of the UK judiciary in 2012. In a case before him, Mr Justice Arnold considered whether IP addresses could be relied upon as identifiers of alleged infringers of copyright. In his ruling the judge granted a rights holder an order which required O2 to disclose the names and addresses of suspected illegal file sharers that the rights holder had said it had identified through their IP addresses.
Mr Justice Arnold said that the IP addresses would help the rights holders identify "many, but not all" of the illegal file sharers. He accepted evidence from consumer charity Consumer Focus that relying on IP addresses as an identifier on their own could lead to individuals being misidentified as copyright infringers. As a result, he said that the disclosure order and the proposed letter of claim had to be "framed so as properly to safeguard the legitimate interests of the [O2 customers], and in particular the interests of [O2 customers] who have not in fact committed the infringements in question".
The view that device identifiers, like IP addresses, will not always be personal data when considered in isolation is supported in opinions issued by the Article 29 Working Party, a body that represents the various national data protection authorities from across the EU, including the ICO.
In an opinion in 2014 on the application of EU e-Privacy rules to 'device fingerprinting', the Working Party referenced the rise of technologies similar to cookies that enable the tracking of device usage through "the combination of a set of information elements". The Working Party explained that these device fingerprints could be considered to be personal data when matched together with other data, including IP addresses.
The combination of "information elements", which on their own might not be sufficient to identify users, can produce a set of data that is "sufficiently unique (especially when combined with other identifiers such as the originating IP address) to act as a unique fingerprint for the device or application instance", the watchdog said.
The same logic applies in reverse – IP addresses might not necessarily be capable of identifying individuals on their own, but the ease with which someone can match that data with other potential identifiers means that IP addresses could then be classed as personal data.
However, in 2007 the Working Party had gone further (26-page / 139KB PDF). It said at the time that unless internet service providers are "in a position to distinguish with absolute certainty" that IP addresses "correspond to users that cannot be identified" then it would need to treat that data as personal data "to be on the safe side".
Organisations can look for further guidance on the issue from the ICO's code of practice on anonymisation.
According to the ICO, organisations do not have to guarantee that data is 100% anonymised in order for it to be outside of the scope of the Data Protection Act. Instead the ICO has said that providing there is no more than a "remote" chance that data subjected to anonymisation measures can be traced back to individuals then, for the purposes of the law, that data would be treated as having been anonymised and no longer 'personal' data.
Organisations need to assess the risk of apparently anonymised data being used to identify individuals when linked with other information. The ICO said "the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data". It said that organisations should consider whether someone, suitably motivated to do so, "would be able to achieve re-identification" if they tried. This is known as the motivated intruder test and would help organisations determine if data was to be classed as personal data or not, the ICO said.
However, the nuanced approach favoured by the ICO was not reflected in a data protection declaration issued in 2014 by global data privacy watchdogs on the subject of data generated by devices, or 'internet of things' sensor data.
The declaration said: "'Internet of things’ sensor data is high in quantity, quality and sensitivity. This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data."
Personal data is a broadening concept
Businesses should adopt the same view as expressed in the declaration when processing IP addresses. This is the prudent approach to take. IP addresses, as data protection authorities and the courts have determined, might not always constitute personal data on their own. However, there is an increasing volume of data being produced and analytics tools are also becoming more powerful and enabling data that has previously existed in silos to be interlinked. This makes it easier than ever before for individual pieces of data to be matched and linked to individuals.
The General Data Protection Regulation, set to overhaul existing EU data protection rules, looks like it will apply a broad definition of 'personal data' to account for this technological advancement.
According to one recital in the Regulation, to determine whether data identifies a person "account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by any other person to identify the individual directly or indirectly".
This approach outlined in the Regulation appears to in effect codify the motivated intruder test that the ICO supports the use of in its anonymisation code but which is actually not accounted for within the wording of the Data Protection Act (DPA).
The DPA requires that data controllers consider what information they have in their possession or are likely to get their hands on when determining if data is personal data. They must also consider what personal identifiers a third party data controller holds if they intend to disclose anonymise data to that organisation to determine if it would allow for reidentification through data matching.
The DPA does not, though, require data controllers to consider what efforts are necessary to enable re-identification, just whether data is available or likely to be available to enable re-identification.
The change in approach, coupled with the potential for significant fines of up to 4% of annual global turnover to be levied under the new Regulation and the reputational damage that can arise if personal data is mishandled, should spur businesses to treat IP addresses as personal data even if the CJEU does not explicitly state this is necessary in its forthcoming ruling.
Kathryn Wynn is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.