A comment on one of the articles earlier this week prompted me to dig around privacy legislation from various part of the planet, only to realise what a mess it is and I should probably just have mowed the lawn instead. It would have been easier on the brain. So just to give you something to think about over the weekend, or discuss at a BBQ. Is an IP address personal data? If you are in a rush, the conclusion I came to was it depends.
Just before we go on I will start all of this with I am not a lawyer (IANAL), just a security guy trying to make sense of things and likely getting some of it wrong. So if you have a need to know for sure, I suggest you ask a lawyer.
Before we get to IP addresses we'll need to define what personal data is. This seems to be fairly consistent between countries. This is likely because most privacy legislation is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data first adopted in 1980 after almost 10 years of discussion. Generally the definition of Personal data boils down to any information that can identify a particular individual. Some countries expand this by explicitly stating things such as race, religion, sex and other information that most of us would consider personal.
From an IP address perspective, do IP addresses fit that definition? This is where it starts getting very muddy. It appears that in some countries the answer is yes and in others it is no. To add a third option, some countries go with, only if it is combined with other items that identify a person.
When we started discussing this Swa, one of the other handlers pointed out this document Study of case law on the circumstances in which IP addresses are considered personal data It is a study of the various laws in the EU and how they relate to the EU directives regarding privacy (page 16 especially). The rest of the document is a good read, but the table on page 16 makes it very clear how confused privacy laws can be. The table shows, for example that in Austria there is no doubt, IP addresses are personal data. In the Netherlands they are not. In Bulgaria it is when combined with other information. In Italy it most certainly is. As for the rest of the world? In the US the answer seems to be no it isn't. In AU, the approach tends to be, when combined with other personal data it is. If you happened to know your local situation add it to the comments.
When I read the study from Timelex other questions popped into my head. So if IP addresses are Personal Data can I have web logs? Can I use a third party to track visits? Probably not, at least not if I'm based in those countries that say IP Addresses are personal data. Mind you many countries do have exemptions for research and security related activities, so sharing log extract, etc is still OK (remember IANAL so check if you need to be certain).
Other questions that popped in. Can I outsource to other countries? Maybe I can share the data with them, but can they give it back? Whose laws apply when I place stuff in the cloud? For example the ammendments to India's laws, according to informationweek.com, applies to data collected in India, but also data provided by overseas companies. What if you are a multinational? Which privacy laws apply?
Plenty to think about and I'm not suggesting that we should all become privacy experts or international privacy lawyers. What I am suggesting, however, is that you may need to point out that it needs to be thought about. After all our job is to help protect the organisation from risk.
If you want more info Wikipedia has some good links from their Privacy Law page. Some of the other resources around:
OECD Privacy Principles
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
AU - http://www.privacy.gov.au
EU - http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm
UK - http://www.ico.gov.uk/
HK - http://www.pcpd.org.hk
CA - http://www.priv.gc.ca/
If you have some resources, preferably from official bodies, that you think others should know about, add them to the comments or send them in.
Enjoy the weekend.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.