It’s 11 days old, but I’ve been thinking about it since the judge made the ruling. As many of you know, a federal judge in Seattle held that IP addresses are not personal information. For a long time I have felt the same way. Others disagree. The ruling of a single judge — even though it’s regarding a high-profile case (Microsoft) — isn’t going to change the world overnight, but it certainly adds spice to the pot that has been cooking for a while.
As most folks are aware, the EU believes differently, and has held for some time that IP is PII. Keep in mind that their stance is not based on ignorance. I found the following excerpt from the referenced report interesting in particular, from point 3 of the Executive Summary:
A search engine provider may link different requests and search sessions originating
from a single IP address. It is thus possible to track and correlate all the web searches originating from a single IP address, if these searches are logged. Identification can be improved, when the IP address is correlated with a user unique ID cookie distributed by the search engine provider, since this cookie will not change when the IP address is modified.
The IP address may also be used as location information, even if it may in many cases be inaccurate at present.
I found it refreshing that the Article 29 Working Party is not oblivious to the fact that an IP address by itself is often inaccurate. Insightfully, the Party points out, however, that if you combine the IP address with other elements such as a unique cookie/ID then you have something a little more solid…something approaching PII, perhaps?
And then comes the real meat behind the Party’s stance (in section 4.1.2):
Personal data: IP addresses and cookies
In its Opinion (WP 136) on the concept of personal data, the Working Party has clarified the definition of personal data. An individual’s search history is personal data if the individual to which it relates, is identifiable. Though IP addresses in most cases are not directly identifiable by search engines, identification can be achieved by a third party. Internet access providers hold IP address data. Law enforcement and national security authorities can gain access to these data and in some Member States private parties have gained access also through civil litigation. Thus, in most cases – including cases with
dynamic IP address allocation – the necessary data will be available to identify the user(s) of the IP address.
The Working Party noted in its WP 136 that “… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side”, These considerations will apply equally to search engine operators.
Again, it is clear that the Party is not suggesting that IP is a solid identifier, but would like to err on the safe side, since, if enough reason was provided, an ISP could potentially track the IP back to an individual user. Interesting.
Before those of us on the other side of the pond stand up and say, “Hah! We get it and they don’t!”, we might want to recall that there are still competing decisions here in the US. Back in April in the State v. Reid case, the New Jersey Supreme Court ruled that Internet service providers can’t disclose a subscriber’s IP address to the police without a grand jury subpoena.
What are the implications for businesses with an international customer base (say, customers from both Washington State and Germany)? Will the US follow the EU’s lead, or do you see this as a continuing debate that won’t settle for quite some time? Do you believe a high-profile case such as the Microsoft ruling will set a precedent?
If ruled as personally identifiable information, I wonder if existing compliance regulations such as PCI will adapt IP as part of the data that must be encrypted and/or stored securely. Definitely a topic to watch as things continue to unfold.