Wednesday, July 18, 2007

File-sharing and IP addresses

IPkat has posted a press release of a case, C-257/06 , Productores de Música de España v Telefónica de España SAU, whereby Advocate-General Juliane Kokott, has held that it is 'compatible with EU law for European countries to exclude communication of personal data in the context of a civil, as distinct from criminal, action.' We have yet to await the ECJ's ruling on this. In brief:
The case was brought by a Spanish music and audiovisual association after telecoms provider Telefonica refused to hand over the names and addresses of its Internet clients suspected of running illegal file sharing sites. The association, Promusicae, wanted to identify the clients, who used the file-sharing program KaZaA, so it could start taking action against them.
Even though the preliminary reference does not touch on the subject of the Data Protective 95/46/EC, there is an interesting dimension when exploring data protection online. Static IP addresses are considered by the Art. 29 Working Party (pdf) and some Data Protection Authorities as personal data.

Example No. 15: dynamic IP addresses The Working Party has considered IP addresses as data relating to an identifiable person. It has stated that "Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically “log” in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2 a) of the [Data Protection] Directive. Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights), the controller anticipates that the "means likely reasonably to be used" to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data. A particular case would be that of some sorts of IP addresses which under certain circumstances indeed do not allow identification of the user, for various technical and organizational reasons. One example could be the IP addresses attributed to a computer in an internet café, where no identification of the customers is requested. It could be argued that the data collected on the use of computer X during a certain timeframe does not allow identification of the user with reasonable means, and therefore it is not personal data. However, it should be noted that the Internet Service Providers will most probably not know either whether the IP address in question is one allowing identification or not, and that they will process the data associated with that IP in the same way as they treat information associated with IP addresses of users that are duly registered and are identifiable. So, unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.

Source: Art. 29 Working Party 4/2007 on the Concept of Personal Data

There have been relatively few cases in the UK that touches on IP addresses and filesharing, but one interesting case study to consider the is APB's case, whereby the APB collected IP addresses to ascertain the identity of filesharers, details which I won't go into, but have read through at and here.

No comments: