Dynamic IP address can be personal data

Nigel Miller
Nigel Miller

Whether or not an IP address is “personal data” can be a crucial question because the answer determines whether or not the data is subject to the rigours of the EU Data Protection Directive (in the UK, the Data Protection Act).

An IP address is a number used to identify a device on a network. An IP address can be “dynamic” or “static”. A static IP address remains constant and does not change every time the device connects to the Internet. In contrast, the more usual dynamic IP address changes each time a new connection is made.

It has long been agreed that static IP addresses are personal data because they enable a link to be made with a particular device for profiling. IP addresses enable an individual to be “singled out” (even if that individual’s real-world identity remains unknown).

In its early opinion 4/2007, the Article 29 Working Party accepted that an IP address, for example, for a computer in an Internet café used by many people may not identify any particular individual. In other cases, however, the IP address can be associated with a particular user if for example there is a log of who used the computer at the relevant time. The Working Party therefore concluded that all IP information should be treated as personal data, “to be on the safe side”.

The question of whether a dynamic IP address can be “personal data” was less certain.

Patrick Breyer v Bundesrepublik Deutschland

The Court of Justice of the European Union (CJEU) has now ruled that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.

While a dynamic IP address alone may not directly identify an individual, when combined with other information a dynamic IP address could be used to identify the individual user.

The question before the Court was whether a dynamic IP address can be personal data if the relevant additional information is in the hands of a third party (an internet service provider).

The case was brought by a politician, Mr Patrick Breyer, against the Federal Republic of Germany seeking to prevent them from storing, or arranging for third parties to store, his IP address from when he consulted publicly accessible websites of German Federal institutions. Mr Breyer claimed that IP addresses qualify as personal data under data protection laws; and therefore that consent was needed for processing such data.

If a user of a website reveals his identity on the website, for example by completing a form, then the IP address is certainly personal data because the operator of that website is able to identify the user by linking his name to his computer’s IP address.

However, if the user does not reveal his identity, the IP address alone does not enable the user to be directly identified. The website operator can identify the user only if the information relating to his identity is communicated to them by his ISP.

The court decided that the fact that the additional data necessary to identify the user are held, not by the website operator, but by the user’s ISP does not exclude dynamic IP addresses from being personal data. The question is whether the website operator has a legal way to obtain the additional data from the ISP. In that case it was decided that the Federal Republic of Germany did have a legal means to obtain the necessary additional information from the ISP and therefore the raw dynamic IP address data should be regarded as personal data.  For information to be treated as “personal data”, it is not necessary that all the information enabling the identification of the data subject must be in the hands of one person.

Comment

The Court has decided that a dynamic IP address could – but will not always necessarily – constitute personal data. In light of this decision, businesses that have not up to now been treating dynamic IP addresses as personal data need to re-assess that position and may need to alter data compliance practices. This may for example impact businesses engaged in online analytics and targeted advertising.

It may be that the case highlights a possible difference between the UK Data Protection Act and the implementation of the Directive in other EU countries. In the UK, data is personal data if an individual can be identified from those data and from “other information which is in the possession of, or is likely to come into the possession of, the data controller”. Is data “likely” to come into the possession of a data controller where the only way for him to obtain it is to ask for it?

All this will soon become academic as, looking ahead to May 2018, the General Data Protection Regulation (GDPR) specifically includes online identifiers, such as IP addresses, in its definition of “personal data”. It’s not that the position is now beyond doubt, it’s just that the nature of the question is changing …

 

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com

Data, duties and directors

Jessica Calvert
Jessica Calvert

The ICO blog recently reported that of the £2.7 million worth of fines issued in relation to nuisance calls since April 2015, only 6 of the 27 fines issued have been paid, leaving a total of £2.26 million penalties unpaid. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) contain powers for the ICO to fine companies which make marketing calls and texts, where the recipients have not consented to be contacted.

Recent fines that have been issued include:

  • a £70,000 fine to London based Nouveau Finance Limited, a company that sent 2.2 million spam text messages without consent from the recipients;
  • a £30,000 to Assist Law, a will writing firm in Weston-Super-Mare for making unsolicited marketing calls to persons registered with the Telephone Preference Service (TPS) for over a year.

Many of the companies fined however have so far avoided paying the fines by filing for insolvency. As the regulator put it “leaving by the back door as the regulator comes through the front door”.

At present the ICO can issue fines of up to £500,000 where there has been a serious contravention. These can be imposed on any legal person (e.g. a business or charity, or an individual), however there is no specific right to fine the directors responsible for such companies. A change to legislation is expected in Spring 2017 which will introduce fines of up to £500,000 for directors of nuisance marketing firms, and hopefully break the cycle whereby the same directors continue to operate under a new company.

The change in law should also be noted by all directors that fall within the remit of the Data Protection Act 1998 (“DPA”), if not the Privacy Regulations, as there is a clear move being made to seek to penalise those accountable for breaches relating to personal data. Points worth noting are:

  • The ICO have the power to fine directors for breaches of the Data Protection Act where breach can be shown to have occurred with a director’s consent, connivance or neglect;
  • Under the GDPR fines of value up to 4% of annual worldwide turnover, or 20 million euros, whichever is greater, will be possible;
  • When the GDPR is enacted data processors as well as data controllers will also be caught; and
  • Breach of general director duties to act in good faith, in the best interests of the company, and to exercise reasonable care, skill and diligence could result in an action for damages, termination of a directorship, or disqualification as a director.

Jessica Calvert is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jcalvert@foxwilliams.com

ICO reports its own data security breaches

Josey BrightAn article in the Evening Standard last week revealed that the ICO has investigated itself in a number of complaints made against it since 2013, at least 11 of which have been upheld.

Seven of the complaints resulted in the ICO being ordered to take action to prevent further breaches, two with compliance advice being given, and two with concerns being raised.

There were also at least three occasions where the ICO’s own staff reported themselves to the Information Commissioner for accidental breaches of individuals’ personal data, although the Information Commissioner ruled that there was “no detriment” to anyone arising from the self-reported breaches.

The ICO’s internal investigations were revealed following a Freedom of Information request made by Liberal Democrat peer, Lord Paddick. In a letter to Lord Paddick’s office, the ICO’s lead information access officer, Ian Goddard, said: “We oversee the Data Protection Act 1998 but we also have to comply with its requirements. This means that on occasion we will have to self-report to ourselves in our capacity as a regulator. It also means that individuals can raise complaints about us, to us, in our capacity as a regulator.”

The article serves as a reminder that, from 25 May 2018, when the General Data Protection Regulation (“GDPR”) comes into force, it will be mandatory to report data breaches. Currently, under the Data Protection Act, it is not compulsory for data controllers (excluding telco’s) to report breaches of data security to the ICO although ICO non-binding guidance recommends that serious breaches should be brought to its attention.

Under the GDPR, organisations will be required to notify the ICO of a data breach without undue delay and where feasible, within 72 hours. In addition, data processors will be required to notify data controllers of a data breach. Failure to report a breach could result in a fine, as well as a fine for the data breach itself. With the maximum fines under the GDPR raised to the higher of 4% of annual worldwide turnover or 20 million euros, organisations should ensure that they have the right procedures in place to detect, report and investigate a personal data breach.

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

Appointing a Data Protection Officer: practical points

elisabettaWith the implementation of the General Data Protection Regulations (“GDPR”) companies are expected to put in place clear governance measures to ensure compliance. Amongst other things, these measures include the minimisation of data protection breaches and the strengthening of internal policies and training procedures. This may also involve the appointment of a Data Protection Officer (“DPO”). Set out below some practical points companies should consider when appointing a DPO.

Managing the DPO appointment process

This new requirement left most companies with a number of questions relating to the appointment of a DPO, including:

  • Timeline for appointments
  • Obligation to appoint a DPO
  • Qualifications required by a DPO
  • Tasks of a DPO
  • One individual to represent the companies of a group of undertakings (“Group”)
  • Existing member of staff or external candidate and type of contract

Timeline

Companies are not required to comply with the GDPR until the 25 May 2018 and until then there is no obligation to appoint a DPO. Although the deadline seems somewhat remote, companies should take into consideration the timeframes required (i) to find the appropriate candidate with the right qualifications to fulfil the role; and (ii) to approve headcount. Further, should a company decide to appoint an existing member of staff, appropriate training must be arranged and this may take time.

Obligation to Appoint

Article 37(1) sets out instances where companies are under a strict obligation to appoint a DPO. These are when the processing:

  1. is carried out by a public authority (except for courts acting in their judicial capacity);
  2. requires regular and large scale systematic monitoring of individuals (eg. online behaviour tracking); or
  3. consists of large scale processing of special categories of data (such as data that reveals racial or ethnic origin, political opinions, religious beliefs etc.) or data relating to criminal convictions and offences.

Qualifications

The GDPR does not expressly set out a list of compulsory qualifications required by a DPO, but Article 37(5) provides that a DPO must be appointed on the “basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art 39”. As such, it would be reasonable for a company to assess its needs based on the type of processing it carries out and the protection the data processed requires when assessing the level of qualification expected of a DPO.

Tasks

The tasks of a DPO are set out in Article 39 and include:

  1. informing and advising the company and employees about their obligations under the GDPR and data protection laws;
  2. monitoring compliance with GDPR and other data protection laws (eg. training of staff, internal audits, managing internal data protection activities, data protection impact assessments etc.); and
  3. cooperating with supervisory authorities and becoming their first point of contact.

One Appointment for the Group

When it comes to group enterprises, the GDPR allows for one single individual to be appointed as the DPO for the whole Group, being the Group’s companies located in the EU and/or outside of the EU. More particularly, Article 37(2) states that “a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment”.

Internal or External Candidate

Companies may decide to appoint an existing member of staff as their DPO, provided that no conflict of interests arises, or decide to hire someone external. The DPO may be employed or hired on a service contract basis. However, the costs of selecting an internal candidate and training them must be balanced against the costs of recruiting someone external.

Although a company may save some money when appointing an existing member of staff rather than going through the often laborious and expensive recruiting process, it is important to balance costs and convenience against the benefits of selecting a candidate with the right level of experience and knowledge in order to provide the company with the adequate compliance program that could successfully sustain the regulatory checks of the supervisory authority.

Whilst hiring a DPO will become something that most companies will have or will decide to comply with, it is worth considering that becoming a DPO carries certain responsibilities that could reduce the appeal for such role. Being responsible for the company’s potential penalty of up to 20 million Euros or 4% of the organisation’s worldwide turnover for non-compliance, might not be so appealing to an individual that does not have the required expertise to ensure the company’s compliance with the GDPR.

Securing the right level of protection your company requires based on your activities should be a priority and one that does not need to wait until May 2018.

Elisabetta Elia is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at eelia@foxwilliams.com

ICO: “Cyber security is not an IT issue, it is a boardroom issue”

Josey BrightTalk Talk

On 5 October 2016, Talk Talk was issued with a £400,000 fine – the highest fine yet from the Information Commissioner’s Office (“ICO”) – for breach of its security obligations under the Data Protection Act 1998 (“DPA”).

Between 15 and 21 October 2015 a hacker took advantage of technical weaknesses in Talk Talk’s systems and succeeded in accessing the personal data of 156,959 customers. In 15,656 cases, the attacker also had access to bank details and sort codes.

The Information Commissioner, Elizabeth Denham, said that the “fine acts as a warning that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”

In addition to the fine, the costs resulting from Talk Talk’s data security breach amounted to £60 million.

Data Security Principle under the DPA

The seventh data protection principle in the DPA requires that personal information must be kept secure. It says that: “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The DPA is not prescriptive about what measure must be taken and there is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, and businesses should adopt a risk-based approach to deciding what level of security they need.

Preventative measures – lessons learnt from the ICO’s Talk Talk investigation

The ICO found inadequacies in Talk Talk’s security measures were the result of “serious oversight” rather than an deliberate intent to ignore or bypass the provisions of the DPA. The cyber-attack could have been prevented if the company had taken basic technical and security measures. In particular, the ICO identified the following issues:

  • Legacy Pages: the data was part of an underlying customer database that Talk Talk inherited when it acquired Tiscali in 2009. These pages were vulnerable and Talk Talk had failed to identify and remove them or make them secure.
  • Outdated Software: Talk Talk was not aware the database software was outdated. It did not know that the software had a bug or that a remedy for the bug had been publicised in 2012 and was easily available.
  • Defences: The hacker used a common technique called SQL injection to which defences exist. Talk Talk ought to have known that there was a risk to the data from this technique and ought to have implemented sufficient defences.
  • Lack of Monitoring: Talk Talk did not proactively monitor its systems to discover vulnerabilities.

The investigation found Talk Talk was unaware of two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 and consequently Talk Talk’s contravention of the seventh data protection principle was ongoing until it took remedial action on 21 October 2015.

The ICO considered the breach serious due to the number of data subjects, the nature of personal data and the potential consequences from the breach – the data could be used for fraudulent purposes.

Other notable cyber attacks

The Talk Talk breach is one of several security breaches to have come to light  in recent months. The size and scale of these security breaches illustrates the Commissioner’s statement that companies urgently need to take stock of their cyber security arrangements.

  • Myspace: In June this year, Myspace discovered 360 million passwords and email addresses had been stolen in a hack that occurred in 2013 and these details were discovered listed on the dark web.
  •  Yahoo: In August, Yahoo discovered that at least 500 million of its accounts had been hacked in 2014. Yahoo only discovered the 2014 breach because it was investigating reports of a separate breach. The theft is the world’s biggest cyber breach so far. The data stolen included names, email addresses, telephone numbers, dates of birth and encrypted passwords.
  •  Tesco Bank: Early this month, Tesco Bank suffered a serious cyber-attack which affected 40,000 customer accounts. Money was stolen from 9,000 current accounts, forcing Tesco Bank to suspend all online transactions. Its security arrangements are currently being investigated by a number of regulatory bodies including the National Crime Agency and the ICO. However, a number of cyber security experts have indicated that its software was vulnerable and was being targeted by cyber criminals for months. Notwithstanding any fines Tesco Bank may be required to pay, it has already spent £2.5 million compensating customers for their losses. 

Practical steps for securing data

By being vigilant and proactive, companies ought to be able prevent significant security breaches and the regulatory fines and compensation payments incurred, not to mention the stigma that such breaches attract.

The following practical steps should be considered to enhance data security:

  • Updates Policy: it is good practice to have an updates policy for software which is used to process personal data and to ensure all software components are included in the policy (e.g. operating systems, applications, libraries and development frameworks);
  • Testing: regularly test and monitor online systems and software for common threats such as SQL injections;
  • Unnecessary Services: completely decommission any service that is not necessary and periodically review remaining services; and
  • Encryption: use encryption schemes to secure the communication of data across the internet.

Higher fines under the General Data Protection Regulation (“GDPR”)

The maximum fine the ICO is currently able to award under the DPA is £500,000. The new General Data Protection Regulation (GDPR), which will have effect from May 2018, offers the ICO the potential to fine up to 20,000,000 EUR or up to 4% of annual worldwide turnover, whichever is the higher.

That’s 20m reasons for companies to review their data security policies and practices.


Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com