#CyberFLASH: IP Addresses As Personal Information: The Canadian And EU Positions Contrasted

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-v

The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.

The EU Decision

As we have covered on this blog, in the EU Decision, Mr. Breyer claimed that the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may keep only for the purpose of facilitating access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber-attacks, such as denials of service.

The Court of Justice held that where third parties, such as internet service providers (“ISP”), have subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The Court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The Court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.

The Canadian Perspective

The EU Decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (“OPC”) in Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address. Thus, in Canada, IP addresses may be treated as personal information in more situations than in the EU.

Read more here

#CyberFLASH: Should privacy by design be part of Canadian law?

gavel-stock-image-2Ann Cavoukian has long touted the benefits of “data privacy by design” and now the European Union has passed an overarching privacy law called the General Data Protection Regulation, which embeds that requirement.

The regulation comes into effect in 2018 in the EU. What is unusual about the regulation is that it applies to all EU member countries, replacing the separate privacy laws of each of its 28 countries.

Privacy by design was first developed by Cavoukian in the 1990s when she was privacy commissioner of Ontario. It is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures.

“That in itself is huge,” said Cavoukian, now the executive director of the Privacy and Big Data Institute at Ryerson University.

She was speaking on an International Association of Privacy Professionals panel last week in Toronto called “Privacy by design: How I learned to stop worrying and love disruptive technology.”

Even though privacy by design has been embraced globally for many years, the EU law is the first time it’s appearing in a statute.

Cavoukian noted that Canada’s privacy commissioner, Daniel Therrien, is also now asking if privacy by design should be embedded into Canadian law.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.