A court in the United Kingdom has cast doubt on whether IP addresses can be used to identify infringement of copyright by a specific individual. In this post, we ask whether this case impacts the generally accepted view in Europe that IP addresses should be treated as personal data under applicable data privacy laws.
The case of Media CAT Limited v Adams & Ors  EWPCC 6 involved allegations that a number of defendants had infringed copyright in pornographic films through the use of peer-to-peer (P2P) software. In order to prove these allegations the claimant had monitored the unauthorised exploitation of the copyright work on the P2P network and compiled a list of IP addresses linked to the unauthorised exploitation of the work. Accordingly, one of the issues to be determined at trial was whether it is possible to use IP addresses on their own to establish that a specific individual had committed copyright infringement.
Before the court could determine this issue, Media CAT issued notices of discontinuance in respect of the original proceedings with the intention of reissuing new claims. Media CAT is now reported to have ceased trading and be insolvent and while we are therefore unlikely to receive a definitive answer to this question as part of this particular action, in his judgment of 8 February 2011, HH Judge Birrs QC saw fit to question whether IP addresses could be used to establish copyright infringement:
91. First, the nature of the case itself raises many questions. I have mentioned some of them above. The issues are as follows:-
- Does the process of identifying an IP address in this way establish that any infringement of copyright has taken place by anyone related to that IP address at all.
- Even if it is proof of infringement by somebody, merely identifying that an IP address has been involved with infringement then encounters the Saccharin problem. It is not at all clear to me that the person identified must be infringing one way or another. The fact that someone may have infringed does not mean the particular named defendant has done so. Perhaps the holder of the account with the ISP has a duty to assist along the lines of a respondent to another Norwich Pharmacal order but that is very different from saying they are infringing.
What does this mean for data privacy? The case did not conclusively determine that IP addresses cannot be used to identify individuals for the purpose of establishing copyright infringement. It is merely a question of evidence. An IP address alone cannot conclusively connect the individual accessing the internet and committing an infringing act with the individual that holds the account with an ISP connected to that IP address. To convict some-one of crime in the UK (among other places) you need to establish beyond all reasonable doubt that they (not any-one else) are guilty. Conversely, in order to protect privacy the law needs to take a more conservative approach and if something can be used to identify an individual (even if it does not do so in call cases) then that data should attract the requisite protection.
This approach is followed by UK Information Commissioner and the Article 29 Data Protection Working Party who recognise that is not possible to say with certainty that an IP address can be used to identify an individual depending on how they are used, but recommend that in order to avoid breaching data protection legislation, data controllers should treat IP addresses as if they can be used to identify an individual and are therefore personal data (see the Code of Practice for Personal Information Online, Opinion 4/2007 on the concept of personal data and Opinion 2/2010 on online behavioural advertising).
Whilst no organisation that processes IP addresses and related data should treat Media CAT as authority to ignore the data privacy laws; it does beg the question of whether as technology advances and we carry portable devices with us everywhere linking to any available wifi network whether an IP address alone (when not coupled with information collected by cookies or other unique identified that can distinguish between users) will ever really track the activity of a single individual in a way that it should attract the protection of data privacy rules.