French court rules IP addresses are not personal data
In something of a departure from a trend in some European countries towards considering IP addresses to be personally identifiable information, a French appeals court last week determined that an IP address could not be used to positively identify an individual computer user. The case reached the appellate level due to legal considerations in France whether prior authorization to collect IP addresses was needed from the National Commission for Information Technologies and Civil Liberties, as required before processing personal data under the requirements of the French Data Protection Act. One interesting aspect of the ruling is that both the French appellate court in this case and German, British, and other European data protection officials are considering exactly the same issue but arriving at opposite conclusions. The opinions hinge on the question of whether an IP address can be used to uniquely identify an individual computer user. The French said that it cannot, while in cases in other EU countries authorities have cited circumstances such as the use of static IP addresses assigned by some ISPs to conclude that at least some of the time an IP address can be unequivocally linked to a single person. Even in the case of static IP addresses, there seems to be a big leap between conclusively identifying a computer (the machine) and identifying the users operating the computer. If the intention is to hold the computer owner responsible for all possible actions performed using his or her property, there would seem to be little support for such an approach under current law. With a technically knowledgeable lawyer, you would also expect to see arguments that would question conclusive computer identification, given the feasibility of impersonating media access control MAC identifiers, not to mention IP addresses.