The Irish data protection authority believed that the settlement would violate Irish data protection laws. The court was asked to answer three questions:
Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?
Whether Eircom’s processing of personal data for implementation of the graduated response mechanism is legitimate?
Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.
For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses. The court said that the word "likely" as used in the Irish law means "probably."
For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement. Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.
On the IP address issue, I invite readers to look back at the Article 29 Working Party’s opinion on the concept of personal data, particularly page 15.
Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst’s blog entry on Internet Freedom and Data Privacy.
The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.