French Court Says IP Address Was Not Personal Data
March 3rd, 2010 by adminAccording to the Paris Appeal Court a French music collecting society did not breach data protection laws when it collected the IP (internet protocol) address of an individual internet user. European data protection laws currently control the processing of personal data.
The Court held that the IP address on its own did not constitute being actual personal data or personal information.
IP addresses are assigned to specific devices when they connect to the internet. These devices may be in individual’s homes or places of work. The Paris Appeal Court stated that the IP address alone could not be used to identify an individual person and so were not capable of breaching data protection laws.
The Society of Composers, Authors and Music Publishers (SACEM) is a French music collecting society that was undertaking some anti-piracy analysis when it located an internet user who was sharing music illegally using a peer to peer network system.
SACEM were investigating peer to peer networks when and discovered that several user’s of the file-sharing network Limewire were sharing music by Eminem. The SACEM agent recorded the IP address of one of these users and contacted their Internet Service provider (ISP). The SACEM agent forwarded the details on to the police who then located the individual using the IP address by ordering the ISP to disclose their details.
The laptop that had been used to share files illegally was located by the police at the address provided by the ISP and the individual in question was subsequently arrested. The user claimed that he was unaware file-sharing in this manner was unlawful.
Under French data protection law personal information may be processed when an activity has been authorised prior to action being taken by the National Commission for Information technologies and Civil Liberties (CNIL). One of the fundamental issues in this case was caused by the SACEM agent as the necessary authority from CNIL had not been obtained prior to the disclosure of the individual’s IP address.
The Paris Appeal Court concluded that the information processed was not personal information and therefore was not subject to French data protection law. The IP address itself had not identified the individual, but the complaint made by the SACEM agent to the police and their further investigations had resulted in the disclosure of the individuals details.
