EU Official: IP Is Personal

Roland Perry lists at internetpolicyagency.com
Thu Jan 24 12:31:27 UTC 2008


In article <Pine.GSO.4.64.0801231750350.24354 at clifden.donelan.com>, Sean 
Donelan <sean at donelan.com> writes
>In the US, folks are fighting the RIAA claiming that an IP address 
>isn't
>enough to identify a person.
>
>In Europe, folks are fighting the Google claiming that an IP address is
>enough to identify a person.
>
>I guess it depends on which side of the pond you are on.

The European Data Protection perspective (which has been the same since
1999, and expressed quite robustly in 2000, no new ideas have suddenly
appeared) is this:

Many IP addresses *are* enough to identify a person.

Although sometimes you need additional information.

The law talks about "identifying directly or indirectly", the
latter as a result of having some *other* information
available[1]. It's not a case of getting a hit based on IP
address alone (which in any event needs at least a registry
lookup to turn into a person's name).

And therefore because *some* IP addresses indisputably identify
people, you must put in place precautions to handle *all* such
information appropriately (IP addresses don't come with a bit
set to say "I'm an identifiable user" or "I'm not").

That's just the way European Law works.

The American perspective might be (and I'm guessing here) that if only
*some* IP addresses identify people, you should assume that *all* IP
addresses are unreliable identifiers. [Many of the comments in this
thread express somewhat of that view].

That might even be a good idea in a shoot-first ask-questions-later
environment. My advice would be to try *not* to deploy such an
environment :)

[1] In the case of being a dial-up ISP, the RADIUS logs; others have
mentioned the association between commercial wifi connections and their
(roaming) subscribers.
-- 
Roland Perry



More information about the NANOG mailing list