The Ministry of Justice has been seeking evidence to inform its input into the ongoing revision of the European Data Protection Directive (95/46/EC). I’ve submitted a JANET response, covering three issues where we frequently trip over problems with either the interpretation or the use of the current Directive and the Data Protection Act 1998 that implements it in the UK: the status of IP addresses and other indirectly-linked identifiers, the use of consent as a justification for processing, and the proposed requirement to notify a regulator of security breaches affecting personal data.
The biggest problem for applying data protection law to the Internet is that the law has no appropriate mechanism for dealing with IP addresses and similar identifiers. The organisation or ISP that assigns an IP address to a computer will usually know the identity of the person responsible for it, so there should be little doubt that the address is personal data in the hands of that organisation. However many other organisations will receive and process the address as it is used to navigate around the Internet: many of them will not be able to link the address to a person and the law is very unclear whether these are required to treat it as personal data or not. Indeed there is a growing number of court decisions that are simply contradictory on this question. The problem is that both answers “yes” and “no” are unworkable – if an IP address is personal data then the law requires that the owner must be notified by all organisations using it and be able to demand full details from them of what is done with it; the originating organisation must also have a contract covering any transfer of the information outside Europe: a requirement that I suspect the Internet breaks billions of times a day! If, on the other hand, IP addresses are not personal data then there is no restriction on what networks and servers can do to gather information about each others’ users or invade their privacy. Our main recommendation, therefore, is to introduce a third category of regulation for indirectly-linked information, where all the requirements are based on the actual level of risk to privacy. This should improve privacy protection both by creating an incentive to use privacy-protecting tools such as pseudonymous identifiers (thereby reducing the regulatory burden), and by making clear that there is still some privacy requirement on information that may previously have been treated as non-personal (and therefore unprotected) because that was the only practical option.
UPDATE: I’m delighted to see that the consultation response from the UK Information Commissioner confirms that he recognises the problem and proposes the same solution (I promise that I didn’t plagiarise him!):
Any new legislative framework should continue to apply to both direct and indirect forms of identification. However, there is evidence of considerable uncertainty in the practical application of the current law to information that identifies people indirectly. … A new Directive should open the way for a more realistic treatment of this sort of information. For example, it might require the security principle to apply to all forms of personal data, but acknowledge the practical difficulty involved in obtaining consent for the processing of, or the granting of subject access to, some information that indentifies individuals indirectly. A simple ‘all or nothing’ approach to data protection requirements no longer suffices, given the variety of information that can now fall within the definition of personal data. The requirements should be more clearly linked to the risk to individual privacy.
(page 3, though the whole paper is well worth reading).
The other concerns relate to areas where data protection law may, perversely, be acting in a way that reduces, rather than improves, privacy. The law allows personal information to be processed on the basis that the owner has given their consent, however this justification seems to be used in many situations where it is not appropriate, either for the individual or the service collecting the information. Unlike other justifications based on necessity (for example to deliver a service or comply with a legal duty), the law entitles users to withdraw consent at any time and without reason. It is therefore unlikely to provide a stable basis for a service. It appears, however, that consent may often be claimed as a carte blanche for any collection or use of personal information, thus avoiding the question of whether it is actually necessary. Although the Information Commissioner recommended some time ago that consent be used only as a last resort, it seems that clearer encouragement on this may be needed.
UPDATE: or, as the Information Commissioner’s response puts it on page 32:
a particular consent may not be adequate to satisfy the condition for processing (especially if the individual might have had no real choice about giving it), and even a valid consent may be withdrawn in some circumstances. For these reasons an organisation should not rely exclusively on consent to legitimise its processing. In our view it is better to concentrate on making sure that you treat individuals fairly rather than on obtaining consent in isolation. Consent is the first in the list of conditions for processing set out in the Act, but each condition provides an equally valid basis for processing personal data.
Finally, the consultation seeks views on the introduction of mandatory reporting of security breaches that affect personal data. As I’ve discussed previously, this could be a good idea if it allowed those affected to protect themselves, or encouraged organisations to learn from their, and each others’, mistakes. However public notification has also been suggested as a way to shame organisations into improving their practices, which seems more likely to make them hide problems, possibly even encouraging customers to move from organisations that try to do the right thing to those that ignore the law.