Dynamic IP address can be personal data

Nigel Miller
Nigel Miller

Whether or not an IP address is “personal data” can be a crucial question because the answer determines whether or not the data is subject to the rigours of the EU Data Protection Directive (in the UK, the Data Protection Act).

An IP address is a number used to identify a device on a network. An IP address can be “dynamic” or “static”. A static IP address remains constant and does not change every time the device connects to the Internet. In contrast, the more usual dynamic IP address changes each time a new connection is made.

It has long been agreed that static IP addresses are personal data because they enable a link to be made with a particular device for profiling. IP addresses enable an individual to be “singled out” (even if that individual’s real-world identity remains unknown).

In its early opinion 4/2007, the Article 29 Working Party accepted that an IP address, for example, for a computer in an Internet café used by many people may not identify any particular individual. In other cases, however, the IP address can be associated with a particular user if for example there is a log of who used the computer at the relevant time. The Working Party therefore concluded that all IP information should be treated as personal data, “to be on the safe side”.

The question of whether a dynamic IP address can be “personal data” was less certain.

Patrick Breyer v Bundesrepublik Deutschland

The Court of Justice of the European Union (CJEU) has now ruled that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.

While a dynamic IP address alone may not directly identify an individual, when combined with other information a dynamic IP address could be used to identify the individual user.

The question before the Court was whether a dynamic IP address can be personal data if the relevant additional information is in the hands of a third party (an internet service provider).

The case was brought by a politician, Mr Patrick Breyer, against the Federal Republic of Germany seeking to prevent them from storing, or arranging for third parties to store, his IP address from when he consulted publicly accessible websites of German Federal institutions. Mr Breyer claimed that IP addresses qualify as personal data under data protection laws; and therefore that consent was needed for processing such data.

If a user of a website reveals his identity on the website, for example by completing a form, then the IP address is certainly personal data because the operator of that website is able to identify the user by linking his name to his computer’s IP address.

However, if the user does not reveal his identity, the IP address alone does not enable the user to be directly identified. The website operator can identify the user only if the information relating to his identity is communicated to them by his ISP.

The court decided that the fact that the additional data necessary to identify the user are held, not by the website operator, but by the user’s ISP does not exclude dynamic IP addresses from being personal data. The question is whether the website operator has a legal way to obtain the additional data from the ISP. In that case it was decided that the Federal Republic of Germany did have a legal means to obtain the necessary additional information from the ISP and therefore the raw dynamic IP address data should be regarded as personal data.  For information to be treated as “personal data”, it is not necessary that all the information enabling the identification of the data subject must be in the hands of one person.

Comment

The Court has decided that a dynamic IP address could – but will not always necessarily – constitute personal data. In light of this decision, businesses that have not up to now been treating dynamic IP addresses as personal data need to re-assess that position and may need to alter data compliance practices. This may for example impact businesses engaged in online analytics and targeted advertising.

It may be that the case highlights a possible difference between the UK Data Protection Act and the implementation of the Directive in other EU countries. In the UK, data is personal data if an individual can be identified from those data and from “other information which is in the possession of, or is likely to come into the possession of, the data controller”. Is data “likely” to come into the possession of a data controller where the only way for him to obtain it is to ask for it?

All this will soon become academic as, looking ahead to May 2018, the General Data Protection Regulation (GDPR) specifically includes online identifiers, such as IP addresses, in its definition of “personal data”. It’s not that the position is now beyond doubt, it’s just that the nature of the question is changing …

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

Advertisements

Privacy Shield, the new Safe Harbor

Nigel Miller
Nigel Miller

The EU has approved a new framework for transfers of personal data from the EU to the US, called the EU-US Privacy Shield. The Privacy Shield will replace the old ‘Safe Harbour’, which was ruled invalid in October 2015.

According to the EU, the EU-US Privacy Shield is fundamentally different from the old ‘Safe Harbor’. Like Safe Harbor, it is a self certification process. However, it imposes stronger obligations on companies handling the data to make sure that the rules are followed and enforced in practice.

Also, for the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. Privacy Shield also provides some mechanisms for redress including a specific ombudsman.

Registration for Privacy Shield can begin 1 August 2016. US companies that wish to take advantage of Privacy Shield can benefit from a nine month grace period to get into compliance if they register for Privacy Shield before end September 2016. So this does not give much time to decide about this and take action.

Unfortunately, while Privacy Shield is a very welcome development, it does not mean that the whole vexed issue of transfers from the EU to the US has been resolved. The Article 29 Working Party – made of the European data protection regulators – have been critical of certain aspects of Privacy Shield, which raises the possibility that Privacy Shield will itself be subject to challenge at some point.

In addition, the EU Model Clauses – the main enabling solution for transfers of personal data from the EU – has also been referred to the EU court by the Irish data protection regulator and could possibly suffer the same fate as Safe Harbor.

Privacy Shield – progress, but not the legal certainty that businesses need.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

Brexit – ICO statement

An ICO spokesperson said on 24 June 2016:

“The Data Protection Act remains the law of the land irrespective of the referendum result.

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

——

For our comment on Brexit, please see our earlier blog post here.

Brexit and the future of Data Protection

Nigel Miller
Nigel Miller

Having spent several years negotiating the new EU General Data Protection Regulation (GDPR), could it be that if the UK votes for Brexit on 23 June 2016 we will no longer need to be troubled with this mammoth piece of new legislation?

The GDPR will come into force across the EU on 25 May 2018. It represents a major upgrade to Data Protection laws, which are woefully out of date for the digital connected world.  While 2018 is a little time away, because of the substantive changes involved, businesses are starting now to consider what they need to do to make sure that they are compliant by 2018 at the latest.

So, the question is, if the UK is no longer a member of the EU, will the GDPR still be relevant?  In brief, the answer is YES.

First, from a timing viewpoint, while a vote for Brexit may be passed in June 2016, the UK’s actual exit from the EU will take place at least two years later.  This means that the UK will still actually be a member of the EU, although under notice of leaving, when the GDPR comes into force in May 2018.

While this first point may be short-lived, as the ICO has stated, “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”.  Having been part of the lengthy process of negotiating the GDPR, it is highly unlikely that the UK would do a u-turn on their implementation. While there may be some who will argue that the UK could benefit from not being weighed down by this somewhat bloated and bureaucratic Regulation, and could opt for something more streamlined and flexible, there is unlikely to be much appetite to change things materially.

Furthermore, for the UK to trade with the EU, it will be essential for the UK to be regarded as a safe harbor to receive personal data from the EU. This in turns depends on the data protection laws of the UK being in line with those in the EU.  This is ironic given that the EU Data Protection Directive of 1995 was based in large measure on the original UK Data Protection Act of 1984.

Following a Brexit, the UK would be in the somewhat awkward position of having to ask the EU to make a formal ruling that the UK has “an adequate level of protection for personal data”. Such a ruling has been made in relation to countries such as Switzerland, Canada, New Zealand etc and would be required to enable EU-based businesses to transfer personal data to the UK, and to give confidence to EU-based consumers transacting with UK businesses.

While there are many unknowns about Brexit, not least (at the time of writing) whether we are in or out, since May 2016 when the GDPR was approved, the future as regards Data Protection laws looks pretty clear.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

ICO publishes Encryption Guidance

Nigel Miller
Nigel Miller

Users of WhatsApp will have noticed intriguing messages that WhatsApp is now securing all chat messages and calls with end-to-end encryption.

This coincides with new guidance issued by the UK Information Commissioner’s Office (ICO) on the use of encryption.

The ICO refers to the fact that many data security breaches are caused by data – or the devices on which the data was stored – being inadequately protected.

The ICO takes the view that where encryption software has not been used to protect the data, regulatory action may be taken.

The ICO has shown itself willing to impose hefty fines on organisations that lose data which were unprotected. For example,

  • the ICO imposed a fine of £150,000 on Greater Manchester Police after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal data of over 1,000 people with links to serious organised crime. It was unencrypted and had no password protection;
  • Welcome Financial Services Limited was fined £150,000 after the loss of more than half a million customers’ details. Welcome was unable to locate two backup tapes which contained the names, addresses and telephone numbers of customers. Data on the backup tapes was not encrypted.

Aside from fines, organisations risk significant damage to their reputation as well as compensation claims if they do not store personal data securely.

The legal requirements

The Data Protection Act (DPA) is not prescriptive as to how data should be secured. It simply says, in Principle 7, that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

While encryption is not a legal requirement, in many cases encryption provides an appropriate safeguard because it is a widely available technology with a relatively low cost of implementation.  However, it is not the only option and should be considered alongside other measures.  The ICO recommends that this is done by carrying out a Privacy Impact Assessment and taking a risk-based approach.

The ICO refers to various typical scenarios where an organisation might consider encryption; for example, transferring data by disc, USB or email; data storage and back-ups, mobile devices, CCTV, call recordings, and drones.

Use of PINs

The guidance refers to the practice of setting a PIN or requiring users to provide a username/password in order to access a device. Whilst this can offer some assurance, the ICO says that it provides little protection to the underlying data which is commonly stored in plain text on the disk and should not be considered as equivalent to encryption.

Email

Email presents a particular everyday problem. A common type of personal data disclosure can occur when an email is sent to the wrong recipients. Data can also be at risk if an individual gains unauthorised access to the email server or online email account. However, encrypted email solutions can be complex to set up and there is still currently no universally-adopted method for sending email securely.

The ICO recommends that data controllers have a policy governing encrypted email, including guidelines that enable staff to understand when they should or should not use it. For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or as an unencrypted attachment) should be encrypted.  Email can also send information by encrypted attachments e.g. by using a password which can be transferred to the recipient. The password must be sufficiently complex to prevent compromise and should be communicated over a separate channel, e.g. by disclosing the password over the telephone or by SMS.

Mobile devices

Another common problem is the loss or theft of a mobile device such as laptops, smartphones and tablets. By their very nature mobile devices have a high risk of loss or theft. Encryption of the data contained on the device can provide an assurance that, if this happens, the risk of unauthorised or unlawful access is significantly minimised.

Position under the GDPR

Looking ahead, the new EU General Data Protection Regulation, due to come into force in two years’ time, specifically refers to encryption as an appropriate technical and organisational measure.  Furthermore, the GDPR provides that organisations that suffer a data breach may not need to notify the data subjects where the data was encrypted. This could be very helpful in preventing the data breach getting into the news, thereby limiting reputational damage caused by the breach.

Next steps

The simple message from the ICO – encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com