A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.
Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.
In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.
The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.
With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.
The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.
Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.
The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision”.
In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.
This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.
So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.
From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.
On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.
Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.
The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.
Among the various provisions of the Monti government’s new economic measures (Law Decree no.201 of December 6, 2011) published in Official Gazette no. 284 of December 6, 2011, we find the introduction of a radical change to the Italian Privacy Code (Legislative Decree 196 of June 30, 2003).
In order to reduce the administrative burden on companies, by amending Article 4, paragraph 1, letter b) of the Privacy Code, Art.40, paragraph 2 excludes from the definition of personal data all information relating to private and public bodies or associations.
As a result of this exclusion the measures also include an amendment to Art. 4, paragraph 1, letter i) which defines who should be considered “an interested party” by the treatment of the data, namely the individual to whom the personal data refers. Whereas previously private and public bodies or associations could be “interested parties”, only natural persons are considered as “interested parties” with the current amendment.
Therefore this revolutionary provision limits the privacy protection of private and public bodies whose data can now be processed without having to obtain permission and restricts the right to data protection only to natural persons.
Alongside these significant changes, Monti’s measure also deletes the last sentence of Art. 9, paragraph 4 of the privacy Code, which detailed how to identify the natural person entitled to exercise rights on behalf of private bodies, public bodies or associations, paragraph 3-bis of art. 5, which excluded from the application of the Privacy Code the processing of data regarding public and private bodies and associations in communications between said bodies for administration and accountancy purposes, and finally also letter h) of paragraph 1 of article. 43 concerning the processing of data of private bodies, public bodies or associations when transferred abroad.
Although the news has not attracted particular media response, the draft of the so-called Development Decree which has been circulating in the last few days would also have an impact on the protection of personal data.
Among other things art. 94 of the decree provides for nothing less than a change in the concept of personal data, adding a significant limitation on legal persons. In fact personal data would now come to mean “any information concerning a natural person and only regarding the electronic communications sector, any information concerning a legal person, body or association subscribing to an electronic communications service available to the public, provided that those persons can be identified or are identifiable even indirectly, by reference to any other information, including a personal identification number. “
Therefore the concept of interested party would also be changed. It would identify the natural person and the legal person, body or association subscribing to an electronic communications service available to the public, limited to the processing of personal data in the field of electronic communications.
Besides the debatable wording of the rule, which raises doubts about its interpretation, the theoretical framework and consequently the practical concept of personal data has been radically changed.
The innovations do not stop here, although the following are less significant.
In fact, there are also new provisions for digital prescriptions and electronic health records (Articles 129 and 130), and from 1 January 2013 school reports and certificates will be issued in an electronic format and made available on the web, by email or other digital formats (Art. 132) Leave certificates for employees whose children are off school ill will also be online (art. 131). As for transport, tickets for buses, trams or other local forms of transportation will be issued in an electronic format (Art. 137).
Finally, the draft decree contains regulations for the increase in the use of Certified email (Article 134), which must be adopted by all companies, not just those constituted in a corporate form. With regard to professionals already affected by this obligation, professional registers are also expected to publish “in any and every case” the certified email addresses of their members.
These predictions are not in fact final and we will follow their procedures and practical implications, which do however, arouse immediate interest and will soon be the subject of lively debate.
The recent publication of the ruling of the Italian Supreme Court (17 February-1 June 2011, No 21839) offers much food for thoughts.
The facts behind the decision seem, in their essence, very simple: one person published on the Internet the mobile phone number of another person without his consent.
Such conduct, according to the decision, falls within the crime of unlawful processing of personal data, governed by art. 167 of the Italian Code for the protection of personal data.
That the elements that constitute this kind of crime are three:
1) the process should be in violation of some specific provisions of the Code
2) there should be a specific intent, such as the will to cause harm or make a profit
3) the damage (harm) should have actually been caused.
Now, from what is stated in the decision, the data process was definitely illegal. The personal information (the phone number) had been processed, more precisely, via Internet, without consent.
This conduct, as it follows, was put in place by the offender in order to cause harm to the person and the damage was actually produced. On this point, it should be noted that the Supreme Court seems to favor the recognition of harm in re ipsa, but we’re not deepening this aspect here.
For such reasons the Supreme Court confirmed the sentence of criminal conviction.
However, while the decision seems to be correct, within the limits of the meager facts reported in the published ruling, there was an error.
Contrary to what the Court stated, the number of mobile phone is certainly not a sensitive personal data.
The two definitions of Art. 4 of the Italian Code for the protection of personal data are very clear and do not give rise to misunderstandings.
The personal data is, in short, an information attributable to an individual: thus the number of users fixed telephone, mobile telephone and the number of users.
However, “sensitive” data are only expressly and exhaustively listed in Article. 4, paragraph 1, lett. d), namely “personal data revealing racial or ethnic, religious, philosophical or other beliefs, political opinions, membership of political parties, unions, associations or organizations of a religious, philosophical, political or trade union, as well as personal data disclosing health and sex life.” Among these there is not the number of mobile phone users.
“Sensitive data” is not, in legal terms, synonymous with “confidential data”. The confidential data does not exist in the Italian law, while sensitive data is only what is listed above.
The number of mobile phone is a personal data but not sensitive one. This is a mistake that is frequently committed by non-experts.
However, this does not mean that the number of mobile phone can be treated and distributed freely by anyone: it is a personal and then for its treatment it is necessary to obtain the consent of the person involved.
If it had been sensitive data, then it would also need the authorization of the Italian Authority for the protection of personal data and the offense would be aggravated.
This error of the Supreme Court shows that the so-called privacy law is still far from being known and that the level of awareness and legal culture regarding this subject is still very low.