Today on Twitter, @clarinette02 posted a link to an interesting article, “IP Addresses Are Personal Data, E.U. Regulator Says,” from a little over a year ago…
It reminded me of some work I was doing in around 2003 or so for a large multi-national hi-tech company based in the U.S. They were pushing out software changes and updates automatically to folks all over the world, based upon IP addresses and a combination of other information, to IP addresses obtained when the software was first installed. They did not give notice to their customers at that time that they would do this, and they did not obtain consent from individuals to do the auto updates based upon consent. They had never even considered or thought about IP addresses as being considered as personally identifiable information (PII).
Germany, along with a couple of other EU countries, made them stop doing business in their countries until they had changed their update processes and established procedures to give notice and obtain explicit consent to use the IP addresses. Why? Because IP addresses were, and still are, considered as PII in many countries, as the article previously referenced indicates.
It’s quite interesting to me that Google is trying to argue with the EU data commissioners about the EU’s own definition of PII.
Last fall I was told by an attendee at my 2-day class, “Information Security and Privacy Convergence and Collaboration” that Germany no longer considered IP addresses as PII or even had any restrictions upon it any longer. However, I have not been able to find any type of validation to support this statement. In fact, what I’ve found has been to the contrary.
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 lists IP addresses as one of the data items that must be retained for generally 6 years, and must also have safeguards to strictly control access to it, since it could relate to specific individuals.
Sweden recently enacted a new law on April 1, 2009, Amendments to the legislation on IPR enforcement, supported by the International Federation of the Phonographic Industry (IFPI), to require Internet service providers to reveal the IP addresses of individuals believed to be illegally sharing copyrighted files; they consider the IP address to be an identifier to a specific individual.
According to the IFPI, at least fourteen other EU nations have also implemented the EU’s Directive on the Enforcement of Intellectual Property Rights: Austria, Cyprus, Czech Republic, Denmark, Estonia, Finland, Hungary, Ireland, Italy, Slovenia, Spain, France, the Netherlands, and the United Kingdom.
On March 31, 2009, in Brussels a European Parliament committee approved amendments to the European Union e-Privacy Directive (2002/58/EC) to require Web sites to gain user consent before storing information on, or accessing user information already stored on, a computer. Amendment No. 84 would require Web site operators to clearly notify visitors that a site uses cookies. The amendment changes providers’ obligations by stipulating that before “gaining access to information already stored in the terminal equipment of a subscriber or user,” the subscriber or user “has given his/her prior consent, which may be given by way of using the appropriate settings of a browser or another application.” The change was reported through various news outlets to help better inform users of situations in which their personal data, including IP addresses, are being accessed and sent over networks without their knowledge.
The European Union’s Consumer Affairs Commissioner Meglena Kuneva warned at a roundtable event in Brussels on March 31, 2009 that “The current work on privacy has concentrated on eliminating personally identifiable information such as name or [Internet protocol] addresses from the public domain…Consumer policy needs to go beyond that and address the fact that users have a profile and can be commercially targeted based on that profile, even if no one knows their actual name.”
So, it is clear that the EU data commissioner leaders still, quite strongly, believe that IP addresses are considered as PII. Kuneva explicitly listed IP addresses as a type of PII.
All organizations, especially those in the U.S. who try to define PII according to their own terms, need to understand that when they obtain PII from other countries, they must play by those countries’ rules and not try to tell them that their definitions of PII are “wrong.”
Tags: awareness and training, EU e-Privacy Directive, Information Security, IP address, IT compliance, IT training, policies and procedures, privacy training, risk management, security training