Tomás F. Serna
February 26, 2008
There has been some debate lately at this side of the Atlantic on whether IP addresses should be considered as personal data.
The EU Civil Liberties Committee recently held a hearing on various issues surrounding privacy on the Internet, where apparently this one surfaced as key amongst the different that were reviewed.
For some interesting background on what IP addresses are, as well as privacy issues surrounding them I’ll refer you to this post that was published on Feb. 22nd. on Google’s Public Policy blog. While the post is slightly biased -which is only natural and was to be expected-, it still contains useful information as well as some nice discussion on the comments section that certainly provide for a very interesting read.
This debate is taking place at EU institutions while in some member states such as Spain, the national regulator long time ago established its own criteria on the subject matter. In short, and as far as Spain is concerned, IP addresses are to be regarded as personal data. (1)
Without getting into too much detail, what this means is that files/databases containing such data would need to be dealt with in strict observance and accordance with European ‘data protection’ laws. If such data were combined with other data that could point to any kind of health record, political ideology or sexual preference… well, you just got yourself into some really tricky and very risky business.
It was many years ago (at least many in Internet years), that it was made clear that in order for services on the net to become mainstream and successful, they would have to invest heavily on personalization. Building a technological framework to provide an ever growing array of services, and then tailoring those to each and every individual within your user base sure sounded (and still sounds today), like the recipe for ultimate success.
I could be wrong, but if memory serves, Yahoo! was the one who first showed the way with ‘my Yahoo!‘. Many tried to build upon that early concept. Recent somewhat successful iterations of this are, to name just two, Netvibes and iGoogle.
The business model has undeniably evolved. Now it is no longer just about to get people to visit -traffic-, and spend time -page views-, within your website, but to collect as much information about them (within reason), as possible.
It is a win-win proposition. You will come to my all-for-free service/s which would be of value to you because while providing you with a service you demand (e.g. on-line news feed reader), they would be completely tailored to your tastes and interests. On the other hand this gives me, the service provider, a lot of valuable information about my users, so that I would be able to make a case before advertisers to invest in my targeted advertising business. That is fair enough.
So why not recognize the obvious and then move on? Why not recognize that IP addresses (amongst every other possible bit of information), are recorded precisely because be it directly or be it potentially, they ultimately lead to real people, their habits, tastes and interests?
I can only think of a reason. Business, but of course. Perhaps because higher operating costs are foreseen in order to comply with these regulations… Maybe because some current and/or future projected areas of business would face some extra hurdles when not be wiped right off the realm of what can be done without breaking the law on certain jurisdictions… Perhaps also because these businesses main source of revenue could potentially be to some degree threatened, as the whole selling argument to advertisers relies on how well they are able to target ads to their user base.
It may very well be a combination of the three above that scares them beyond belief as being Internet businesses, that while operating on a global scale were built from the ground up in a much more lax legal environment with regard to the understanding of the right to privacy… and that is most probably embedded in their corporate DNAs.
Should that be the case… well, lets just say that probably these foreign ‘data protection laws’ are something that you would better see avoided altogether… or at least their influence and effects limited whenever possible as well as to any possible extent.
(1) Regardless of them being dynamically or statically assigned, and without initial regard to the fact of whether they identify a single computer or a potential group of ‘n’ computers behind a router or similar device using network address translation capabilities.
Article submitted for publication to DataProtectionReview.eu, a publication of Madrid’s Data Protection Agency.
3 Comments »
Leave a comment
Advertencia de Protección de Datos:
Los datos personales capturados con ocasión de la utilización del formulario de comentarios (nombre/apodo, dirección de correo electrónico, sitio web y dirección IP), serán incluidos en un fichero del propietario del sitio web y se publicarán (excepto su dirección de correo electrónico y su dirección IP) en esta página con la finalidad de permitir opinar públicamente al lector, así como para en su caso contestar al comentario o consultas que formule. Podrá ejercitar sus derechos de acceso, de rectificación, de cancelación y de oposición en lo referido a dichos datos personales dirigiendo un correo electrónico a la dirección: email@example.com.
Please be informed that by using the comments form, your personal data (name/nickname, e-mail address, website and IP address), will be included in a file owned by the website proprietor and published along your comment (except for your e-mail and IP addresses), in order for the reader to publicly comment, as well as -should that be the case-, to respond to any comment or query that readers may have made. You will be able to exercise your rights to access, rectify, cancel and oppose such personal data by sending an e-mail to the following address: firstname.lastname@example.org.