EU Ponders Privacy of Internet Addresses

Europe's top data protection officials are working to clarify a grey area of Internet law: the legal status of an Internet Protocol (IP) address.

The question of whether an IP address should be considered private data occupied much time at a hearing last week at the European Parliament regarding Google's planned acquisition of DoubleClick. If a person can be identified by an IP address, then the address is private, said Peter Schaar, the German data protection commissioner and chairman of the Europe-wide privacy group, the Article 29 Committee.

This has been the rule in most countries in the European Union for more than 10 years. However, it is hard to set a clear-cut rule because some ISPs  give out fresh IP addresses to subscribers each time they go online and people also buy time online at Internet cafes.

The Article 29 Committee has been examining the question of IP addresses as part of its analysis of how search engines respect European data protection rules. It is expected to reach some conclusions by mid-June, according to an official working for the committee who asked not to be named.

The committee cannot fine transgressors of E.U. data protection rules, nor can it propose legislation, but it can prompt the European Commission to do so.

Internet search companies, including Google, argue that an IP address merely locates a computer rather than identifying who is sitting at that computer. Treating IP addresses as personal information would have implications for how search engines record and use people's data.

If the committee persuaded lawmakers to toughen IP address protection in Europe "that would definitely change things [for search engines]," said John Steinback, a spokesman on policy matters for Google.

From Google's perspective, whether an IP address is personal depends on the context, Steinback said. An ISP can link an IP address to a subscriber, but a Web site visited by the person using a specific IP address cannot link the address to a person, he explained.

The European Parliament hearing was convened by the assembly's civil liberties committee to assess whether citizens' privacy would be harmed by Google's planned acquisition of Internet advertising company DoubleClick. The deal, which has already been given the green light by U.S. regulators, is under investigation by European Commission competition officials. However, like its U.S. equivalents, the Commission won't consider the privacy question.

Nevertheless, if data being collected for one purpose by one of the companies is then handed over to the other company for use in a different way, European data protection officials would be obliged to intervene, said the official close to the Article 29 Committee.

"Google will have to respect all the obligations of DoubleClick, including its data protection obligations," the official said. If the two databases are to be used for the same purposes, then they would be deemed compatible and could merge. "But if there was an incompatibility between the two databases, then they couldn't be merged," he said.

The European Parliament's civil liberties committee said it would be holding more seminars to examine the issues surrounding data protection in the months and years to come.

Subscribe to the Security Watch Newsletter

Comments