The issue has never been tested in a UK court but the
view of the German court is consistent with guidance published last
year by the UK's Information Commissioner.
Search engine companies and other web publishing operations
store IP addresses in a bid to identify users and their usage
patterns. Privacy activists have argued that IP addresses should
count as personal data under data protection legislation.
Publishers have claimed that while IP addresses can be personal
data, they are not always necessarily so.
In a provisional ruling, the district court of Munich has said
that when stored by an internet publisher, IP addresses are not
personal data under the country's Privacy Act because the
information cannot be easily used to determine a person's
identity.
The ruling said that an internet service provider (ISP) could
not tell a third party who was using a particular IP address at a
particular time without a legal basis. ISPs generally do not give
out such information except when ordered to do so by a court.
The only other way for a person's identity to be determined by
the IP address would be for the information to be transferred to a
third party illegally, the court said.
In an automated translation from the German, the ruling said
that IP addresses lack the necessary quality of 'determinability'
to be personal data. That means that the identity of the person
behind the data can be determined without disproportionate burden
and using normally available knowledge and tools.
The court said that web publishers, therefore, could store IP
addresses in server log files which keep a track of activity on a
web page.
The case was brought by an individual who argued that a web
publisher's storing of IP addresses in those log files was a
privacy violation because the information could be used to identify
him and link his identity to his web surfing activity.
The court disagreed and dismissed his arguments.
In 2007 the UK's Information Commissioner published guidance
which said that in isolation, IP addresses will not be classed as
personal data. They can become personal data, though, when used to
build a profile on an individual or in the hands of an ISP.
"In practice, it is difficult to use IP addresses to build up
personalised profiles," said the guidance. "Many IP addresses,
particularly those allocated to individuals, are 'dynamic'. This
means that each time a user connects to their internet service
provider (ISP), they are given an IP address, and this will be
different each time."
"So if it is only the ISP who can link the IP address to an
individual it is difficult to see how the Act can cover collecting
dynamic IP addresses without any other identifying or
distinguishing information," it said.
The guidance adds: "Some IP addresses are 'static', and these
are different. Like some cookies, they can be linked to a
particular computer which may then be linked to an individual user.
Where a link is established and profiles are created based on
static IP addresses, the addresses and the profiles would be
personal information and covered by the Act. However, it is not
easy to distinguish between dynamic and static IP addresses, so
there is limited scope for using them for personalised
profiling."
The Article 29 Working Party, the committee of Europe's privacy
watchdogs, has said that IP addresses should be treated as personal
data by ISPs and search engines, even if they are not always
personal data.
"Unless the Internet Service Provider is in a position to
distinguish with absolute certainty that the data correspond to
users that cannot be identified, it will have to treat all IP
information as personal data, to be on the safe side. These
considerations will apply equally to search engine operators," it
said in a report in April.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
