What does your IP address say about you?
For quite a while now European jurisdictions have been debating to know whether an IP address should be considered as a personal data, pursuant to the definition of the EU Directive . A recent French court decision seems to have refuelled the debate.
Why such a debate? If IP addresses are qualified as personal data, their automated processing will be submitted to applicable Data Protection regulations.
Personal data is defined by article 2 of the EU Directive as “any information relating to an identified or identifiable natural person (’data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”
An IP address, in isolation, is focused on a computer and not an individual. Therefore, it may not, directly lead to identification. However, in the hands of an ISP for example, an IP address becomes personal data when combined with other information that is held – which will include a customer’s name and address. In the hands of a website operator, it may become personal data through user profiling.
The regulatory approach to IP addresses illustrates the dilemma that the Directive’s sweeping definition of ‘personal data’ can cause. According to the stated position of the Working Party 29, “IP addresses attributed to Internet users are personal data and are protected” by the Directive . Such position has also been adopted by the Data Protection Authorities from Member States, in an opinion dated June 20, 2007, which stated that the IP address that was attributed to an individual for communications purposes is a personal data.
However the debate remains. Many Internet professionals, such as Google, are challenging such qualification.
In France, the debate is fuelled by the fight against illegal downloads of protected work through Peer To Peer networks. Sworn agents from copyright management companies did set up automated processing of IP addresses for users of P2P networks illegally downloading protected work.
The French data protection authority (“CNIL”) considers that IP addresses are personal data and as such all automated processing of IP addresses shall be declared to the CNIL which shall allow it. In 2005, the CNIL forbade the SACEM to collect IP addresses on P2P networks. However, this decision has been cancelled in May 2007 by the Administrative Jurisdictions.
In parallel, two successive decisions of the Paris Court of Appeal, in April and May 2007, also overturned the CNIL’s position claiming IP addresses shall not be considered as personal data as it does not allow identifying an individual without a specific judicial proceeding.
The Court of Appeal of Paris rules that the IP address is “a series of numbers that does not constitute an indirectly nominative data relating to the user because it only relates to a machine and not to the user of the computer infringing copyrights” (Court of Appeal of Paris, May 15th 2007).
The Court of Appeal of Rennes ruled, on the contrary, that this type of treatment of IP addresses by the SACEM and SDRM (copyright management companies) shall trigger a declaration and be submitted to the prior authorization of the CNIL. However, on January 13, 2009, the French Supreme Court decided against this interpretation but not quite for the reasons we could have expected.
Indeed, despite other reports claiming that the Supreme Court ruled that IP addresses are not personal data, our understanding is different.
The Supreme Court never expressly stated that IP addresses are or are not personal data. However, it went back to the facts of the case and noticed that the IP addresses had been collected and processed manually by a sworn agent. As such, the Supreme Court considered that the act of collecting an IP address, without using an automatic monitoring device, for the purpose of obtaining an individual’s identity does not constitute data processing.
By ruling so, the Supreme Court clearly excludes the need for the CNIL’s prior authorization. However, it cannot be deducted that the Court excludes the qualification of IP addresses as personal data. The question still remains unanswered.
We can not escape wondering why the Supreme Court did not seize this opportunity to put an end to the debate. One of the answers for such silence may be related to economic considerations. Indeed, treating IP addresses as personal information would have an impact not only on the chase of illegal downloads of protected work but would also have implications, for example, for how search engines record data.
We can only hope that Internet professionals will be provided with a clear and definitive answer soon.
But such answer may be coming from the technology, if the legal experts can not agree. Indeed, the IPv4 (version of the Internet protocol currently mainly used) identifies a system and can not warrant identification of a computer. On the contrary, the IPv6 (new version of the Internet protocol available but which requires an update of many infrastructures) will allow identifying with certainty a machine, and therefore will be more reliable to attach an IP address to a specific individual.
However, this shall not release competent authorities and jurisdiction of their obligation to reach an agreement on this topic…
By Diane MULLENEX (firstname.lastname@example.org), Avocat à la Cour and Solicitor (England & Wales) and Annabelle RICHARD (email@example.com), Avocat à la Cour and Attorney at Law (New York State) at Ichay & Mullenex Avocats.
Ichay & Mullenex Avocats is a French law firm focusing on all legal issues related to the new technologies in France and abroad. They are considered experts in intellectual property and Internet law, e-commerce, online gaming, data protection. Ichay & Mullenex Avocats also assists its clients on all issues related to financing, mergers & acquisitions, restructuring, etc. and advises them on their litigation and arbitration procedures.