The scope of data protection law in relation to IP addresses is being underestimated by companies such as Google that process and use individuals’ IP addresses, according to European data protection supervisor Peter Hustinx.
Speaking to technology news service ZDNet UK at the RSA Conference Europe 2008, he noted concerns that even when there is no personal information – such as name or address – directly attached to data, collection and use of internet protocol (IP) addresses could still make someone ‘identifiable’, because it would enable companies to target information at the individual using that computer.
Data protection laws apply
The UK’s Data Protection Act demands that companies only store information for the same purpose as that for which it was collected, and delete it after it has been used for that purpose.
Peter Hustinx went on to say if collection and use of IP addresses or other data with no personal details attached ‘…leads to exclusion of a person, for example he’s getting offers tailor made to him that are more negative than another person might get, or if he’s not getting offers someone else could get, it’s unfair to say he’s anonymous when he’s actually fully identified.’
Privacy grey zone
If there is any doubt by a company as to whether information such as IP addresses is personal or not, it should err on the side of caution and treat everything as personal.
Hustinx adds: ‘My experience is there is a huge grey zone and many companies are interpreting this in a way that is favourable to them and underestimating the scope of [data protection] law.
‘In the case of Google, all European data protection authorities together have unanimously made the case that much of what Google is doing is about personal data. Maybe not always but if they are not able to distinguish one from the other then they should treat all that information as if it was personal data.
‘If we are dealing with a computer that is showing special behaviour in terms of actions that can be tracked, then in a reasonable world this is tracking an individual – computers cannot do it alone. It is a mistake to say under these circumstances [just because there are no personal details attached to data] that data protection laws do not apply.’
Protect your privacy
Jaclyn Clarabut, assistant editor for Which? Computing, says: ‘We’d like to see companies be up front about how they use peoples’ personal data.
For more on companies’ responsibilities under the Data Protection Act, and tips on how to protect your personal information, take a look at the Which? guide to protecting your personal details.
The Which? website – www.which.co.uk – also has advice on staying safe online and how to avoid identity theft, as well as reviews of Which? Best Buy and free security software to protect your PC from internet nasties.
For daily consumer news, subscribe to the here. If you have an older web browser you may need to copy and paste this link into your newsreader: http://www.which.co.uk/feeds/reviews/news.xml . Find out more about RSS in the Which? guide to news feeds.