EU Considers IP Addresses "personal data"

I heard about this through the CyTrap labs Regustand newsletter. Basically, the Article 29 Working Party of the European Commission have carefully read the privacy regulations and issued an interpretation that, among other things, consider that IP addresses are personal data and are subject to privacy regulations.

I suppose from a privacy perspective this makes sense, and if you read the interpretation, it is hard to argue with the logic. On the other hand, the only organization that can reasonably identify a person on the other end of an IP address is the ISP that issued it. J Random Webmaster can capture the IP address and some other interesting information about the client, but they will be hard-pressed to associate that information with an "identified or identifiable natural person". But the wording of the legislation states that any information "relating to" such a person is "personal data", and IP addresses would seem to qualify. This means that IP addresses are subject to Directive 95/46/EC which governs the use of personal data.

So does this mean that DHCP logs are subject to the same regulations that passport numbers are? It would seem so. Even in the enterprise? Again, it would seem so.

Yet another thing to add to the compliance effort.

Comments are closed