Is an IP Address Personal Data?
The answer seems to be – maybe no, but maybe yes, depending on the circumstances.
The key to unlocking this conundrum is whether or not the IP address can be used to help identify a living individual.
An IP (or internet protocol) address is a numeric code, assigned by an internet service provider (ISP), which identifies a device, such as a computer, on the internet. IP addresses are either static (always the same) or dynamic (changing when a user logs on).
ISPs allocate IP addresses in batches – the number may reveal the identity of the ISP and may identify the city in which the computer is located, but it does not reveal a specific geographic address. IP addresses are allocated to a subscriber and not an individual using the computer, so they may help identify an internet café or business but not necessarily the individual sitting at the PC.
Definition of Personal Data
Section 1 of the Data Protection Act defines personal data as:
‘data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller …….’
According to the Technical Guidance published by the Information Commissioner’s Office (ICO) in 2007, to be personal data, information must ‘relate to’ a living identifiable person. Information will ‘relate to’ a person if it is about him, linked to him, has some biographical significance for him is used to inform decisions affecting him or has him as its main focus or impacts on him in any way.
‘A practical difficulty arises when collecting information online because non-obvious identifiers, such as cookies or IP addresses, are linked to a device rather than a particular user. In many cases a device will have multiple users, for example a shared household PC. This may make it impossible to tell whether the information obtained is about a single user or a group of users.
A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data. However, if each family member logs in separately, then any online activity will relate to that particular login identity. This will mean that the cookies used are more likely to be personal data. An IP address is only likely to be personal data if it relates to a PC or other device that has a single user.
When you cannot tell whether you are collecting information about a particular person, it is good practice to treat all the information collected as though it were personal data.’
Judicial Review of the Digital Economy Act 2010
BT and TalkTalk (R (BT Telecommunications PLC & Anor) v Secretary of State for Business, Innovation and Skills  EWHC 1021 (Admin)) sought judicial review of the Digital Economy Act 2010 on the grounds that its provisions were incompatible with EU law, including the Data Protection Directive. In the course of considering this question, the High Court looked at whether, by linking the IP address provided by a copyright owner with an individual subscriber's name and address, and writing to him and compiling lists, ISPs were processing personal data.
Article 2(a) of the Data Protection Directive defines ‘personal data’ as:
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.’
The High Court noted that the European Working Party on Data Protection and Privacy had concluded (Opinion 4/2007 (01248/07/EN, WP 136) - pages 16 and 17) that dynamic IP addresses were personal data, stating:
‘Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically "log" in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2(a) of the [Data Protection Directive].’
‘Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright Holders in order to prosecute computer users for violation of intellectual property rights), the controller anticipates that the "means likely reasonably to be used" to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data.’
The High Court held that the data being processed by ISPs did relate to an identified or identifiable person because the subscriber, who could be identified through the dynamic IP address, was linked to the data (in this case the particulars of the copyright infringement, including the dynamic IP address). The court therefore decided that the data being processed were personal data.
London Borough of Hackney
The most recent pronouncement (ICO decision notice FS50315994 dated 23 June 2011) on the issue concerns an online survey conducted by the London Borough of Hackney on a proposal to install a wind turbine. The Council was asked to disclose information about the responses to that survey, including:
a) the IP addresses (not related to any other data) of the respondents; and
b) a list of all the addresses (with the street number and name removed, i.e. leaving the area, city and postcode of the respondents).
The Council disclosed the street names, cities or towns and the postcodes to the enquirer, but refused to disclose the IP addresses on the grounds that they were personal data, their disclosure would be a breach of the first Data Protection Principle and therefore the Council could rely on the exemptions in sections 40(2) and 41(1) of the Freedom of Information Act and was not obliged to disclose the IP addresses.
The enquirer complained to the ICO, arguing that:
i) his request for information had ensured that no privacy or Data Protection Principles would be compromised;
ii) the guidance quoted from the Personal Information Online Code of Practice did not apply in this case;
iii) the IP addresses in isolation were not personal data because they were associated with pieces of electronic equipment which could not be connected to an identifiable individual; and
iv) there was no way to establish who was using the computer to which the IP addresses were assigned.
The ICO stated that Personal Information Online Code of Practice contained good practice advice, but did not contain a definitive statement that all IP addresses should be treated as personal data.
The ICO decided that:
1. some of the IP addresses held by the Council may be personal data, because the Council had the ability to link the IP addresses to other information (for instance the postcodes submitted in response to the survey);
2. the correct test to apply in this case was not whether the personal data to be disclosed was personal data in the hands of the data controller (the Council);
3. the test should be whether any member of the public could identify an individual from the IP address if that address were disclosed; and
4. the IP addresses were anonymous and were not personal data.
In considering whether a member of the public could identify an individual from an IP address, the ICO took into account that there are ‘look up’ websites (e.g. http://www.whois.net/), where users can search for additional information about an IP address, but that those searches were not accurate enough to closely identify the actual location or user of the device linked to the IP address.
The ICO noted that one ‘look up’ site stated:
‘Determining the physical location down to a city or ZIP code, however, is more difficult and less accurate because there is no official source for the information, users sometimes share IP addresses and Internet service providers often base IP addresses in a city where the company is basing operations.’
But, the ICO noted:
‘in future, with technological advances it may be possible that resources such as geolocation information could be used to identify a user of an IP address. It is therefore important this decision is viewed as on the circumstances of the case.’
The ICO also stated that:
a) because dynamic IP addresses change, there was some additional distance between the IP address and the identity of the user - an IP address is more likely to be personal data if it relates to a computer which has a single user;
b) finding out the name of an organisation whose IP address is used to submit a consultation response is not the same as disclosing personal data;
c) the High Court judgment in the judicial review of Digital Economy Act 2010 is confined to the circumstances of that case and does not have wider application or set a wider precedent; in the scenario before the High Court it was clear that copyright owners had the means and motivation to identify subscribers, who could be identified through the IP address, but that was not the case with the IP addresses requested from the London Borough of Hackney;
d) IP addresses in isolation, unlinked to other data, made identification of the individual less likely; the other information which the Council disclosed to the complainant could not be linked to the IP addresses and did not significantly increase the risk of identification.
If you would like further advice about any of the issues considered above please contact Christine Reid on 01865 864195 or email her at firstname.lastname@example.org
This article is not intended to be, and should not be taken as being, legal advice. The law often changes and it varies from jurisdiction to jurisdiction; the information in this article is generic in nature and specific legal advice should be taken before acting on any of it.