A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.
Federalberghi, the Italian Federation of Hoteliers, has launched a formal protest against sites that collect anonymous user reviews.
In a recent letter addressed to the Ministry of Tourism and the Ministry of Industry, The Federation President Bernabò Bocca called for the introduction of rules on blogs and sites, including the right of rectification, and the obligation of signing reviews with users’ full names, or alternatively direct responsibility of the site for its reviews.
The main target of the Federation’s protest is TripAdvisor, the travel portal where users can exchange opinions on hotels, restaurants and tourist attractions worldwide.
Regarded as one of the “pioneer” services of Web 2.0, since 2000 TripAdvisor has collected user reviews, many of which anonymous, without either control or censorship. The portal, which currently has more than 40 million monthly visitors, is owned by Expedia Inc., the U.S. travel company and online booking giant, which runs popular sites such as Expedia.com, Hotels.com, Hotwire.com.
It was precisely this combination of anonymity and Expedia’s management of the site which aroused the suspicions of President Bocca, according to whom the obligation for users to log into the portal with their full name and preferably the addition of the dates of their stay, would guarantee the authenticity of the reviews and dispel the suspicion that the reviews had in fact been created ad hoc.
The press release in which Federalberghi expresses its request for a ruling against anonymous reviews also carries the news of a decision by the Court of Paris, which a few days ago condemned Expedia, TripAdvisor and Hotels.com to pay a fine of € 430,000 for unfair and deceptive trade practices.
The Court accepted the requests of Synhorcat (the French Association of Hoteliers) which accused Expedia of providing the public with inaccurate information regarding the availability of rooms at some hotels thus benefitting others which are business partners of the site itself. Synhorcat also contested the fact that the partnership between Expedia and Tripadvisor was in no way made clear to users.
The sentence, even if only partially relevant to the current protest by Federalberghi, was heralded as a major success in the campaign that HOTREC (the European organization of hotels, restaurants and bars), together with Federalberghi and the other national associations, is promoting in all European countries against unfair trade practices.
It does appear, however, that not all Italian national associations are united in the battle against TripAdvisor’s anonymous reviews. Confindustria alberghi (The Confederation of Hotels) and AICA (The Italian Association of Hotel Companies) recently launched an ongoing collaboration with “TripAdvisor for Business” aimed at overcoming problems and identifying key areas for improving the features of TripAdvisor dedicated to companies in the hospitality industry.
We’d like to present here an interview with Giusella Finocchiaro on The Dilemmas of Anonymity and Anonymous Data in the Digital Economy. The interview has been published by Nymity news on the section “Interviews with Expert”.
The dilemma is if anonymity and anonymous data exist in the present technological environment or if technology renders anonymity and anonymous data impossible.
The fundamental question is the very definition of anonymity and of anonymous data.
The concept of anonymity has gained particular importance in relation to the application of the European legislation on personal data protection. This regulation is constituted by the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and by the Directive 2002/58/EC on privacy and electronic communications. The only data which are not “personal data” and therefore are outside the field of the application of the two directives are “anonymous data”…
Read more on: Nimity News