The Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data, which was signed by member states of the council of Europe at Strasbourg (France) on 28 January 1981,1 underpins most European data protection statutes. It was created to achieve greater unity among its members and to extend the safeguards for the right to privacy, taking into account the increasing flow of personal data undergoing automatic processing. The Council of Europe is an international organisation based in Strasbourg. Its ETS No. 108 provided critical definitions, such as:
- Personal data—Any information relating to an identified or identifiable individual (data subject)
- Automatic processing—Storage, editing operations if carried out in whole or part by automated means
- Automatic data file—Any set of data undergoing automatic processing
These definitions are still being used in national statutes of European member states, such as the UK.
The data protection statutes have existed for more than four decades. The first statutes were introduced in Germany, and other European member states followed suit. The implementation of data protection statutes by member states has been largely due to compliance with European Directive 95/46/EC2 and Directive 2002/58/EC.3 Some European member states have decided to implement the minimal state of compliance with the European data protection directive, thus adhering with minimum requirements. Other member states have opted for a greater concept of data protection, seeking to elevate the interest and wishes of the individuals above those of data users.
The following sections discuss recent developments4, 5 within the data protection legislation.
IP Classification Under the Data Protection Act 1998
There have been discussions about the inclusion of Internet Protocol (IP) addresses as personal data, thus falling under the scope of the UK Data Protection Act of 1998. This discussion has been raised by several authorities, including Peter Schair, the German data protection commissioner, and Elizabeth France, the UK information commissioner, in 2001.6
France’s view in 2001 was that IP addresses on their own cannot identify a living individual, thus they should fall under the scope of the Data Protection Act. Further still, she differentiated between static IP addresses, those that are always assigned to a machine or by assumption are linked to an individual, and dynamic IP addresses, those that are assigned to different machines, and confirmed that IP addresses on their own do not fall under the scope of the Data Protection Act of 1998. Alternatively, she suggested that IP addresses, alongside user profile data-gathering technologies, should fall under the scope of the Data Protection Act of 1998.
A similar statement comes from an independent European Union (EU) advisory body, Article 29 Data Protection Working Party,7 which suggested that IP addresses alongside Internet user profiles should be included in the scope of data protection.
There has been a recent change in the views of some data protection authorities, mainly that of the German data protection officer, who also leads the EU group that proposed a report on how well the privacy policies of Internet search engines, such as those operated by Google and others, comply with the EU privacy law. The overwhelming consensus from the 2008 report was that IP addresses should be classified as personal data, to ensure that adequate measures are employed to protect data subject privacy.8 This issue is currently being debated by the EU’s group of data privacy regulation. Private companies such as Google are striving to hide IP addresses. Microsoft does not record IP addresses, but uses Passport Network technology that is linked to its popular Hotmail and messenger services.
Internet Search Engines Compliance under the Data Protection Statutes
The Article 29 Data Protection Working Party presented an opinion on a new set of responsibilities under the data protection directive (95/46/ EC) for search engine providers as controllers of user data.9 As providers of content data (e.g., the index of search results), European data protection statutes also apply to search engines in specific situations, for example, when building subjects’ data profiles.
A key conclusion of the opinion is that data protection generally applies to the processing of personal data by search engines, even when their headquarters are outside the European Economic Area (EEA), and the onus is on the search engine to clarify its role and the scope of its responsibility under the directive.
Also, personal data must be processed only for legitimate purposes. Search engine providers must delete or irreversibly sanitise personal data once they no longer serve the specific and legitimate purpose for which they were collected, and must be capable of justifying retention and the longevity of the cookies deployed at all times.
The consent of the user must be sought for all planned cross-relation of data that enables an individual to be identified. Users should be presented with an opt-out option by search engine providers to prevent their personal data from being processed. Also, search engine providers must comply with users’ requests to update/refresh caches that store their personal data. It was also suggested that search engine providers should retain personal data for only six months to comply with data protection laws, unless they can demonstrate comprehensively that it is strictly necessary for their services. Reasons for exceeding the six-month suggested time frame could be fraud prevention, an accounting requirement and personalised advertising, amongst others.
These regulations are mandated by EU authorities and mainly apply to EU Internet companies. Nevertheless, data processors that are based outside the EEA have to comply, if they process personal data from EU countries. In complying with the data protection statutes, most Internet/e-commerce companies are likely to invest in hiding personal data, thus avoiding the scope of the data protection statutes. As a result, subscriber and product cost of Internet/e-commerce will likely increase.
1 Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data, 7 January 2007, http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
2 European Commission, Directive 95/46/EC on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, European Parliament and of the Council, 24 October 1995, www.dataprotection.ie/viewdoc.asp?DocID=89
3 European Commission, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, European Parliament and of the Council, 12 July 2002, www.dataprotection.ie/viewdoc.asp?DocID=71
4 France, Elizabeth; Views on IP Addresses, www.out-law.com/page-5733
5 Article 29 Data Protection Working Party, ‘Opinion on Data Protection Issues Related to Search Engines’, http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf
6 Op cit, France
7 Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the concept of personal data’, http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf
8 Privacy.org, ‘German Data Protection Commissioner Says IP Addresses Are Personal Information’, http://www.privacy.org/archives/002202.html
9 Op cit, Article 29
A. Abimbola, Ph.D.
has been in the information security and regulatory compliance industry for more than eight years. He has written more than 30 publications in journals and appeared in numerous conferences. He was nominated for Who’s Who in Science and Technology in 2008 and Who’s Who in the World in 2009.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.