No more confusion: An IP address is personal information

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 23 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining exactly what private data is not straightforward. What does not help is that a lot of information on many sites regarding on what is allowed under the GDPR is plain wrong. E.g. there is a lot of confusion about the object ‘IP address’. Is an IP address personal information or not?

An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. But most non-IT people still have no glue what an IP address is. This because to understand what an IP address really is, you will need to be familiar with the working of Internet, IP communication networks and how an IP address is part of this very complex communication system. Also an IP address is not something that comes to mind when someone asks you to deliver some personal information.

When you use Internet communication networks most of the time someone else will make sure you get a valid IP address. However this still makes it not directly personal information that is traceable to you. This is because:

  • Almost all Internet Service Providers will work with temporary randomly assigned IP addresses. This means that you will not use the same IP address every day. In technical terms: DHCP. This Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on TCP/IP networks whereby a DHCP server dynamically assigns an IP address to devices on a temporary basis.
  • There is not always a correct (automated) administration that identifies you with the temporary given IP address.
  • It is very easy to use another IP address.
  • Besides an IP address you also need a MAC address. A MAC address (media access control address) is used to identify devices on  networks  to transmit data packets between devices on local systems (phones, tablets, computers etc). When you do transactions using Internet communication you will expose both an IP addresses and a MAC address. Most of the time the MAC address is originating from your home router device or phone. But it is also easy to use another MAC address.

So the question remains: Why should an IP address be treated as an object under the GDPR? To understand why an IP address is regarded as personal information under the GDPR you should take an other question in mind. What is an IP address in the context of privacy?

When you access a service over Internet, e.g. an eCommerce site or a news-site you will always leave a trace. Minimal there will be an IP address in a server log. But since most of the time you will provide far more information about your identity without knowing it an IP address becomes linkable information that can be traced back to you. An when data can be traced back to you it is personal identifiable information.

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. This means that MAC addresses, IP addresses are data pieces that are defined as personal data under the GDPR. But since the GDPR is not specific on details you will not find terms like MAC address or IP address in GDPR document.

Before the GDPR different individual EU member states act differently on whether an IP address should be considered personal data. The new GDPR Regulation, which will override member state implementations of the Directive. So to prevent further discussions within the GDPR is now stated in article 4.1 “personal data” means any information relating to an identified or identifiable natural person.

But having an IP address and MAC address will not mean that you can easily identify a natural person. Most of the time information e.g. from ISPs or local network administrators is needed to determine the real individual behind an IP address.  Fortunately for those who need to communicate privately there are still plenty of options. Thanks to many OSS developers and open foundations there are excellent ways to communicate on Internet without exposing your real identity. You can find some nice secure and private communication tools in the ‘Open Reference Architecture for Security and Privacy‘.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!