E.U. Regulator Says IP Addresses Are Personal Data

NewsCloud writes "Germany's data-protection commissioner, Peter Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, 'then it has to be regarded as personal data.' Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. If the E.U. rules that IP addresses are personal, then it could regulate the way search engines record this data. According to the article, Google does an incomplete job of anonymizing this data while Microsoft does not record IP addresses for anonymous search."

And they plan to implement this how?!

[CaptainPatent]

The only way to check and see if your IP is being kept is by changing the protocol entirely or by checking the company's servers. I'm guessing that not too many companies would appreciate people routinely rooting around, and if something to check if an IP is stored were to be implemented, the protocol would have to be vastly overhauled and it could slow down the internet 80% or more because of the extra time needed to "check."

The bottom line is this is much like the ruling in the US that companies had to keep a record of working memory (which is entirely impossible,) This seems to be more legislators talking about something they know very little about.

Don't get me wrong, I do appreciate the fact that it would make it harder for the ad industry to hunt you down which is always appreciated, I just don't think any reasonable implementation will work.

Re:So...

[alx5000]

There's no European equivalent to RIAA... maybe there's such an organization on a country level, but I can assure you that sharing is completely legal in Spain, since fair use covers any kind of private copy, no matter whether you own the original or not (and yes, P2P falls into that category).

Re:And they plan to implement this how?!

[alx5000]

And, yes, while we're at it, let's not prosecute fiscal fraud (since it's so hard to check the company's books, and not too many companies want theirs scrutinized).

The same can be applied to websites collecting info on users to sell it to spammers. It's really, really (really!) hard to prove they've sold it, but that wouldn't stop legislators from sanctioning that law, would it?

If the EU passes a law that adds IP addresses to the list of protected private data, that only means it is illegal to collect them and store them. And if you get caught, face the consequencies, just like with any other law.

Re:And they plan to implement this how?!

[dleigh]

TFA (and some slashdot readers) seem to be assuming that he is calling for a ban on logging IPs. TFA is pretty thin on what was actually said at the meeting, just taking the assumption and asking a few search company spokespeople for their opinion on that assumption. The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".

Re:Just Addresses

[Beriaru]

Your name is personal data, but not private.
Your phone number is personal data, but not private.
Your Address is personal data, but not private.
And of course, your IP is not private... but is part of your personal data.

Maybe in USA there is no difference between private and personal data, but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

Re:And they plan to implement this how?!

[Anonymous Coward]

Except for the glaring difference that companies are required to report their books for tax purposes which is what leads to them being caught.
I agree that when found, companies keeping IP information should be prosecuted, but finding them (and even finding evidence if they're smart about it) is going to be much harder than you suggest if not impossible. The GP post is correct though that in order to even detect if the IP was being stored the entire internet protocol system would need to be highly revamped.

Re:And they plan to implement this how?!

[thannine]

The comissioner doesn't seem to be claiming anywhere that IP addresses should not be stored, or that regulators should check to see if they are not stored, or that any "implementation" of anything is or should be required. The only statement from him seems to boil down to "something which identifies a person should be considered personal data".

And this would be the logical thing to say. Many posters have been wondering "how are they going to implement this?". Well, the thing is that laws like that are already in place (at least in Finland, but I'm assuming the rest of EU also), it's just the question of whether they apply to IP addresses as well as phone numbers, addresses, social security numbers etc. It's not illegal as such to store those, it's just regulated.

worry about the German government first

[nguy]

In Germany's current privacy and data protection laws, everybody has the right to decide what happens to their own personal information if it is being processed by computers.

Well, that is, except for all the ways in which the German government uses that information to track you and spy on you. German privacy attitudes are schizophrenic: they live in a country with a history of governments perpetrating genocidal mass murder based, in large part, on personal information and connections between citizens. You were a Jew? You died. You had contact with communists? You died. The East Germans even continued that proud tradition of neighbors spying on neighbors and kids spying on parents throughout the 20th century.

Yet, all Germans seem concerned about is whether big, evil US corporations can get their data, while everything they do and say can be traced back to them: phones need to be registered, web sites need to provide full information, there is effectively no anonymous free speech, televisions need to be registered, the German government can get all your connection information, and you even register your religion with the German government.

German politicians talking about "privacy" is ridiculous. The "Bundesdatenschutzbeauftragter" is a smokescreen for one of the most intrusive surveillance societies in the world. Germans should worry about their own government before trying to tell other nations about data protection.

It's Peter SCHAAR

[Doctor O]

His name is Peter Schaar, not Scharr. One would think the editors would at least *skim* TFA.

Oh, and he's a great guy BTW, responding to email in a timely and thoughtful manner, and investigating the questions he's being asked.

Re:Major legal issues arising?

[arkhan_jg]

You're assuming the restrictions on personal data are greater than they are. If IP's are judged personal data, that makes them like a telephone number or an address (The Act covers any data which can be used to identify a living person). Still, you do have some responsibilities, *if you're in the EU* with regards handling personal data. Basically, there are restrictions on publishing it or sharing it around without permission, and you can only use it for the original purpose for which it was collected. (Sensitive personal data, i.e. really private stuff, is more strictly controlled)

For example, say you were to publish your webserver access logs; you'd be better off anonymising the IP's somewhat first. Just as if I call you on the phone, you're allowed to store the caller ID, call me back or even put me on your internal call-list - but publishing my phone number, along with transcripts of our conversations without permission would be a no-no. Nor can you flog it off on the open market to cold callers. When you sign up for a phone line here, you're asked if you want the number to appear in the phone book, or go ex-directory.

Again, this only applies if you live in an EU country with data protection laws.

If IP addresses are personal data, and you visit my web page, and my access logs show I served an IP that you used at a certain time (or even just that I served an IP you used), am I now subject to laws regarding the holding of personal information?
If you're an individual holding the data for your own personal use, you are exempt from much of the data protection act, including having to tell people when they ask what data you hold on them. If you're a company, when given a proper request and the fee to handle the request, would have to look in the logs when given the IP, and would have to report that yes, you hold 7 instances of that IP in your log. If your log expires before you have to answer the request (40 days I think) , you don't have to give anything.

If you were to contact me and request that information how would I authenticate you? If I was to disclose certain parts of the "personal data" that you claimed belonged to you,how could I know that I was not disclosing someone else's personal information, given that I can't necessarily authenticate you or anyone else and IP's can be re-allocated?
You don't have to disclose the other data that goes with the IP, just the IP itself that they supply to you. You then say whether you hold that or not.

If I ban an IP address for abusing my server and it is later re-allocated to someone else, is that slander?
It'd be libel as it's written, not slander as that's spoken. Libel only applies if you *publish* lies about someone, such as 'this IP searches for goat porn' (when they don't). Storing it for your own blacklist is fine. If you're a company, the new holder of the IP could ask that you correct your record under data protection law though.

If I forward an e-mail whose headers contain IP addresses of relay servers, is that unlawful disclosure of personal information?
No, because relay servers do not identify a living human. Also, it's the processing and storage of personal identifying data for later use that's covered, not mere transmission. The owners of servers that store those emails would likely have responsibilities under the data protection act, but then they do anyway because of the contents of the email itself!

Re:Is a license plate personal data?

[LordSnooty]

Yup, in my country whenever a car is shown on a news report for example they blur out the registration number. This is in line with data protection legislation of the late 90s.

Re:Just Addresses

[Anonymous Coward]

[...] but in EU there's a big difference: nobody can NOT store your personal data without warning you and giving methods to correct AND ERASE your data.

I suppose you wanted to say: "nobody is allowed to store your personal data without warning you and giving methods to correct and erase your data."
This is a principle of German "Recht auf Informationelle Selbstbestimmung".

Anyway, I agree with Germany's 'commissioner for data protection and freedom of information' Peter Schaar (wrong name in TFA) that an IP is public, but nevertheless personal data (better term in German: "personenbezogene Daten") because as the 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data' (see Directive 95/46/EC [europa.eu]) states:

Article 2
Definitions

For the purposes of this Directive:
(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Some prior commentators already agreed that a telephone number is personal data (though many don't seem to know the difference between private and personal data). Why not treat IPs the same way?

Please note that not all is well in Europe since telephone numbers (already regarded as personal data) and IPs have to be stored by the associated carriers (ISPs for example) for later processing by law enforcement agencies (allegedly solely) in the course of investigating terroristic activities and other crimes (see 'Directive 2006/24/EC [europa.eu] of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks').
This is heavily disputed (see e.g. http://www.dataretentionisnosolution.com/ [dataretent...lution.com] and Digital Rights Ireland challenge to Data Retention [digitalrights.ie]).
By the way, there [riseup.net] are some proposed methods to disable logging of IPs regarding Apache webserver - et al..

For more information about 'EU Data Retention' see EU Data Retention - doqumentation [quintessenz.at] and Electronic Privacy Information Center [epic.org].