Article contents
Dynamic IP Addresses Can be Personal Data, Sometimes. A Story of Binary Relations and Schrödinger’s Cat
Published online by Cambridge University Press: 26 April 2017
Abstract
- Type
- Case Commentaries
- Information
- European Journal of Risk Regulation , Volume 8 , Issue 1: Cambridge Inaugural Issue: The Past, Present And Future of Risk Regulation , March 2017 , pp. 191 - 197
- Copyright
- © Cambridge University Press
Footnotes
Research assistant at HEC Paris and ICT external expert at European Commission; email: [email protected] and Twitter @alelkhoury. The author wishes to thank Mr Luca Vogna, system architect at the European Commission.
References
1 Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31.
2 H Kuan, C Millard, and I Walden, “The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing” (2011) 1(4) International Data Privacy 37.
3 Case C-101/01 Lindqvist [2003] ECLI:EU:C:2003:596, para. 24. In this case a telephone number alongside a name was deemed to be personal data.
4 Art. 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data, 01248/07/EN, WP 136.
5 Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779.
6 A similar concept is enshrined in Austrian data protection law (Datenschutzgesetz, 2000). Referred to as “indirect personal data”, it entails that information is “indirectly personal data” if the controller, processor or recipient of the data cannot identify the individuals using legally permissible means.
7 See P Breyer, “Illegale Vorratsdatenspeicherung in der Telekommunikationsbranche?” (2012) 1-2 Neue Juristische Wochenschrift 14.
8 Case C-70/10 Scarlet Extended ECLI:EU:C:2011:771, para. 51.
9 In Information Technology this is technically known as DHCP (Dynamic Host Configuration Protocol).
10 See also Opinion of Advocate General Campos Sanchez-Bordona in Breyer ECLI:EU:C:2016:339, paras. 52–53 and footnote 11 for a summary of German academic positions.
11 Telemendiengesetz (Law on telemedia) of 26 February 2007, BGBI. 2007 I, p. 179.
12 Regretfully, it has to be noted that none of the judicial bodies noticed that an IP address, besides its static or dynamic nature, is often sufficient to reveal the geographical location of the devices to which it is assigned, thus revealing the physical location of a data subject at a specific time. On the risks of geolocation see Art. 29 Data Protection Working Party, Opinion 13/2011 on geolocation services on smart mobile devices, 811/11/EN, WP 185, p. 7.
13 Cases C-468/10 and C469/10 ASNEF and FECEMD [2011] ECLI:EU:C:2011:77, paras. 30–33.
14 J Gantz. and D Reinsel, “Extracting value from chaos” (2011) IDC iView Article sponsored by EMC Corporation, available online at <https://www.emc.com/collateral/analyst-reports/idc-extracting-value-from-chaos-ar.pdf> (last accessed 19 December 2016), 2.
15 For the implications of metadata with data ownership and data mining see A El Khoury, “Data Protection & Risk Regulation. Cloud Computing: a case study” (2016) Thesis on file at LUISS School of Government, pp. 44–47.
16 E Schrödinger, “The present situation in quantum mechanics” (1935) 23(48) Naturwissenschaften 807.
17 A Narayanan and V Shmatikov, “Robust de-anonymization of large sparse datasets” (IEEE Symposium on Security and Privay, 18–22 May 2008), 111–125. For the accretion problem, once an adversary has linked two anonymized databases together, he can add the newly-linked data to his collection of outside information and use it to help unlock other anonymized databases. See also P Ohm, “Broken promises of privacy: Responding to the surprising failure of anonymization” (2010) 57 UCLA Law Review 1701, 1746.
- 2
- Cited by