IP addresses – personal data?

February 12th, 2016 by Anya Proops

The question of how data protection rights cash out within the online environment is without doubt one of the more difficult questions which data privacy practitioners have to tackle. One major area of contention is the extent to which data protection legislation applies to ostensibly anonymous, impersonal online data. This is an issue which our own Court of Appeal considered last year in the case of Vidal-Hall v Google. In that case, the Court of Appeal readily accepted that there was at the very least a serious issue to be tried on the question of whether tracking data used by Google to track the browsing activities of Google users amounted to ‘personal data’. This was despite the fact that Google did not generally know the name of the user in question: its tracking operation entailed the tracking of individual devices, rather than named individuals. According to the Court, there was a serious issue to be tried the question of whether the tracking data amounted to ‘personal data’, particularly in view of the way in which Google’s appeared effectively to individuate end users through the use of cookie technology.

What then of IP addresses? Can they too amount to personal data, despite the fact that they may not per se themselves yield any specific name or other traditional identifier? This is the issue which the CJEU will be addressing in the forthcoming case of: Breyer (Case C-582/14), due to be heard by the CJEU on 25 February 2016. Whilst of course nothing would give me greater pleasure than to wax lyrical on the particular technical arguments which lie behind this case, I feel I must defer to this easy-to-follow analysis on EU Law Radar. But I will just point out that as long ago as 2007 the Article 29 EU Working Party was prepared to express the view that the definition of ‘personal data’ in the Data Protection Directive was wide enough to encompass IP addresses (see its Opinion 4/2007). Given the current direction of travel within Europe in terms of giving online data privacy legislation some bite, it would not be altogether surprising if the CJEU took the same view.

Anya Proops


The Right to be Forgotten: big steps forward, small steps back?

February 11th, 2016 by Robin Hopkins

If you made a successful ‘right to be forgotten’ request to Google in the UK, the outcome would be that the URL you complained of would no longer appear in search results through the google.co.uk search engine. However, by simply using the .com version of the browser instead, that outcome would be neatly sidestepped: the offending URL would appear in the search list against your name, unaffected by your exercise of your right to be forgotten.

Google has announced today that, as requested by the ICO among others, it will change that practice and introduce consistency across the versions of its browser. Read more »


Investigatory powers and privacy

February 9th, 2016 by James Goudie QC

The Government’s draft Investigatory Powers Bill has been criticized by Parliament’s Intelligence and Security Committee, chaired by former Attorney General, Dominic Grieve QC MP, in a Report published today.  The Committee is “disappointed to note” that the Bill does not cover all the intelligence and security Agencies’ intrusive capabilities, and that the draft Bill fails to provide a clear and comprehensive legal framework to govern the use and oversight of investigatory powers.

Read more »


Indiana Jones and the EU-US Privacy Shield – Updated

February 3rd, 2016 by Christopher Knight

Just like the Ark of the Covenant, the Holy Grail, bizarre alien crystal skull things and whatever it was they were looking for in the Temple of Doom, there is another object of great supposed power and endless fascination. Known only as the ‘EU-US Privacy Shield’ – to be wielded with the mighty Sword of Data no doubt – it is rumoured to have the ability to prevent secret intelligence-harvesting, solve personal data disputes and single-handedly rescue inter-state trade. Like a less exciting Corby trouser press. And now this amazing artefact has been uncovered, by the European Commission no less, buried at the bottom of a Brussels file marked ‘Desperate Ideas to Buy Time’.

Read more »


Free expression vs reputational rights: liability of online intermediaries

February 2nd, 2016 by Robin Hopkins

If you take the view that a reader’s comments about you posted on a news website infringe your privacy or data protection rights, should you be able to sue the website (as opposed to the author of the comments)? This question is enormously important. It reflects our evolving legal, social and ethical approach to resolving tensions between freedom of expression and privacy. It goes to the heart of both online journalism and internet business models. A new judgment given today makes an important contribution to this debate – and will be seen as heartening for advocates of free expression in an online world. Read more »


[Insert Safe Harbor Pun Here]

February 2nd, 2016 by Christopher Knight

Readers will recall a minor data protection development last year in Case C-362/14 Schrems, in which the CJEU annulled the Safe Harbor (or Harbour) framework under which data had been merrily being transferred from the EU to the US without, apparently, breaching the eighth data protection principle (in strictly DPA terms). It prompted rather a lot of commentary online, including here and here, as well as some frantic reassurances from the European Commission discussed by me here. Readers may also recall the warning issued by the Article 29 Working Party that if a solution wasn’t found by the end of January, they would be take appropriate action (drum roll please). Read more »