CJEU confirms IP addresses are "Personal Data"
.jpg){kind=small}
As we reported recently, the CJEU held in Scarlet Extended SA (“Scarlet”) v Societe belge des auteurs, compositeurs et editeurs (“SABAM”), Case C-70/10 that an order requiring a Belgian internet service provider to filter certain peer to peer files is not permissible under EU law. The CJEU found that any national measures to protect copyright must “strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures”.
This case is also noteworthy for its landmark decision that internet protocol addresses constitute “protected personal data”. The CJEU held that the injunction sought, requiring installation of the contested filtering system, “would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.”
This decision is particularly interesting as Charlton J., in EMI Records (Ireland) Limited v Eircom Limited [2010[] IEHC 108, held that an IP address was not “personal data” under the Data Protection Act 1988-2003, in circumstances where it was collected by a record company and provided to Eircom, in order for Eircom to deal with the owner of the IP address in accordance with the ‘three strikes’ scheme. Charlton J. concluded that as the name and address of the owner of the IP address was unlikely to come into the possession of the record company, since it was a matter for Eircom to deal the relevant person, the IP address in and of itself did not constitute “personal data” in the hands of the record company.
Different positions have been adopted by the Member States on this issue, despite the Article 29 Working Party issuing an Opinion (Opinion 4/2007 on the concept of Personal Data) which states that it considers IP addresses as constituting “personal data”. The Working Party stated this was “especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by copyright holders in order to prosecute computer users for violation of intellectual property rights).”
The CJEU’s clarification that IP addresses are “personal data” should ensure a more consistent interpretation is adopted across the EU in the future. Interestingly, the European Commission’s draft EU Data Protection Regulation, which has been leaked ahead of scheduled publication on Data Protection Day, 28 January 2012, also indicates that IP addresses constitute “personal data”.
