Efforts to combat illegal music downloads again raise privacy issue over IP addresses

For quite some time we’ve been following the development of the legal debate in both the European Community and the United States over whether IP addresses can be considered personally identifiable information, and therefore handled under personal information privacy laws. In general, it seems that the American and European judicial systems are heading in opposite directions on this issue, with publicly stated opinions by both government officials and judges from some European countries that IP addresses should be considered personal information because, at least some of the time, they can be used to identify individual computer users. If we leave aside the legal rules of evidence (on either side of the Atlantic), we don’t have to resolve the question of whether an individual who owns a computer can be held accountable for actions traced through an IP address linked to a that computer. The point is that some authorities have held that you can track an individual through an IP address, and in the European regulatory structure, that puts the IP address within the scope of the Data Protection Directive (95/46/EC) and therefore severely restricts organizations from collecting or using this information.

This topic is back in the European spotlight this week due to a legal case in Ireland, which involves a settlement that a group of record companies worked out with Irish telecommunications leader Eircom in an effort to combat illegal music downloads by Eircom customers. Eircom agreed to identify customers using their IP addresses and disclose those identities to the record companies. The practice has yet to be implemented due to concerns over the potential violation of privacy such a disclosure would constituted under the national and European Community data protection laws, so now the record companies are seeking a legal ruling from the High Court (which has jurisdiction over all civil and criminal matters in Ireland, subordinate in authority only to the Irish Supreme Court) on the data protection issues involved. The issue at hand is no so much whether IP addresses do or do not constitute individually identifiable information — the IP addresses are being used specifically for the purpose of identifying Eircom users by name — but whether the evidence of wrongdoing by users who download music illegally outweighs the privacy protection. To the extent this argument implicitly accepts the personally identifiable nature of IP addresses, it represents another salvo in the European debate over this issue. Less than a month ago a French court ruled that an IP address cannot be used to positively identify an individual, a legal opinion that if applied to the Irish case would make the current request irrelevant, since it would seem to cast doubt on the “evidence” against individuals accused of illegal uploads or downloads.