Is an IP Address Personal Data?

The answer seems to be – maybe no, but maybe yes, depending on the circumstances.

The key to unlocking this conundrum is whether or not the IP address can be used to help identify a living individual.

An IP (or internet protocol) address is a numeric code, assigned by an internet service provider (ISP), which identifies a device, such as a computer, on the internet. IP addresses are either static (always the same) or dynamic (changing when a user logs on).

‘data which relate to a living individual who can be identified –

(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller …….’
             
ICO Guidance

According to the Technical Guidance   published by the Information Commissioner’s Office (ICO) in 2007, to be personal data, information must ‘relate to’ a living identifiable person. Information will ‘relate to’ a person if it is about him, linked to him, has some biographical significance for him is used to inform decisions affecting him or has him as its main focus or impacts on him in any way.

The ICO’s Personal Information Online Code of Practice   states:

‘A practical difficulty arises when collecting information online because non-obvious identifiers, such as cookies or IP addresses, are linked to a device rather than a particular user. In many cases a device will have multiple users, for example a shared household PC. This may make it impossible to tell whether the information obtained is about a single user or a group of users.

A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data. However, if each family member logs in separately, then any online activity will relate to that particular login identity. This will mean that the cookies used are more likely to be personal data. An IP address is only likely to be personal data if it relates to a PC or other device that has a single user.

When you cannot tell whether you are collecting information about a particular person, it is good practice to treat all the information collected as though it were personal data.’

Judicial Review of the Digital Economy Act 2010

BT and TalkTalk (R (BT Telecommunications PLC & Anor) v Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)) sought judicial review of the Digital Economy Act 2010 on the grounds that its provisions were incompatible with EU law, including the Data Protection Directive.  In the course of considering this question, the High Court looked at whether, by linking the IP address provided by a copyright owner with an individual subscriber's name and address, and writing to him and compiling lists, ISPs were processing personal data.

Article 2(a) of the Data Protection Directive defines ‘personal data’ as:

‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.’

The most recent pronouncement (ICO decision notice FS50315994 dated 23 June 2011) on the issue concerns an online survey conducted by the London Borough of Hackney on a proposal to install a wind turbine. The Council was asked to disclose information about the responses to that survey, including:

a) the IP addresses (not related to any other data) of the respondents; and

b) a list of all the addresses (with the street number and name removed, i.e. leaving the area, city and postcode of the respondents).

The Council disclosed the street names, cities or towns and the postcodes to the enquirer, but refused to disclose the IP addresses on the grounds that they were personal data, their disclosure would be a breach of the first Data Protection Principle and therefore the Council could rely on the exemptions in sections 40(2) and 41(1) of the Freedom of Information Act and was not obliged to disclose the IP addresses.

The enquirer complained to the ICO, arguing that:

i) his request for information had ensured that no privacy or Data Protection Principles would be compromised;

ii) the guidance quoted from the Personal Information Online Code of Practice did not apply in this case;

iii) the IP addresses in isolation were not personal data because they were associated with pieces of electronic equipment which could not be connected to an identifiable individual; and

iv) there was no way to establish who was using the computer to which the IP addresses were assigned.

The ICO stated that Personal Information Online Code of Practice contained good practice advice, but did not contain a definitive statement that all IP addresses should be treated as personal data.

The ICO decided that:

1. some of the IP addresses held by the Council may be personal data, because the Council had the ability to link the IP addresses to other information (for instance the postcodes submitted in response to the survey);

2. the correct test to apply in this case was not whether the personal data to be disclosed was personal data in the hands of the data controller (the Council);

3. the test should be whether any member of the public could identify an individual from the IP address if that address were disclosed; and

4. the IP addresses were anonymous and were not personal data.

In considering whether a member of the public could identify an individual from an IP address, the ICO took into account that there are ‘look up’ websites (e.g. http://www.whois.net/), where users can search for additional information about an IP address, but that those searches were not accurate enough to closely identify the actual location or user of the device linked to the IP address.

 The ICO noted that one ‘look up’ site stated:

‘Determining the physical location down to a city or ZIP code, however, is more difficult and less accurate because there is no official source for the information, users sometimes share IP addresses and Internet service providers often base IP addresses in a city where the company is basing operations.’

But, the ICO noted:

‘in future, with technological advances it may be possible that resources such as geolocation information could be used to identify a user of an IP address. It is therefore important this decision is viewed as on the circumstances of the case.’

The ICO also stated that:

a) because dynamic IP addresses change, there was some additional distance between the IP address and the identity of the user - an IP address is more likely to be personal data if it relates to a computer which has a single user;

b) finding out the name of an organisation whose IP address is  used to submit a consultation response is not the same as disclosing personal data;

c) the High Court judgment in the judicial review of Digital Economy Act 2010 is confined to the circumstances of that case and does not have wider application or set a wider precedent; in the scenario before the High Court it was clear that copyright owners had the means and motivation to identify subscribers, who could be identified through the IP address, but that was not the case with the IP addresses requested from the London Borough of Hackney;

 and

d) IP addresses in isolation, unlinked to other data, made identification of the individual less likely; the other information which the Council disclosed to the complainant could not be linked to the IP addresses and did not significantly increase the risk of identification.