Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Irish Court: IP addresses not personal data

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland’s largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland’s data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom’s failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom’s warnings, Eircom would cut off the subscriber’s Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber’s violation of Eircom’s terms of use.  The subscribers’ identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom’s processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber’s consent to Eircom’s terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party’s opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst’s blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.