Should IP addresses constitute personal data?

The IT sector is among the sectors most directly affected by this ordinance The government’s consultation paper for the review of the Personal Data (Privacy) Ordinance (PDPO) is long overdue. The ordinance was passed in 1996, before the Internet became popular—let alone Web 2.0 and social media—and is thus far behind public awareness and expectation. The public naturally wants “maximum protection,” but as the consultation document rightfully states: “balance is needed between safeguarding personal data privacy and facilitating continued development of information and communications technology,” and the ordinance “should remain flexible and relevant” in spite of technological change”—that is, it should maintain technological neutrality. Sensitive data Nonetheless, the IT sector is among the sectors most directly affected by this ordinance. An example: the proposal in the consultation document that biometric information be classified as “sensitive personal data”—a new introduction to the ordinance that would call for a higher degree of protection by the data users, and hence heavier punishment in case of data-leakage. The government’s rationale is that such biometric data are inalterable, thus damage caused to data-owners would be severe and permanent. However, why single out biometric data to be made “sensitive,” while in other jurisdictions such as Australia and the UK, sensitive personal data includes criminal records, racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, health information, and sexual orientation? In fact, ever since the Privacy Commissoner's Office issued a directive earlier this year, repudiating the use of fingerprint technology in schools for attendance keeping, the effects have already been chilling for local companies providing such solutions. While the PCO guidelines maintains that biometric solutions are acceptable as long as it is not mandatory, or that such high level of secure access control is justified for its purpose, nonetheless many biometric solution providers have simply seen their business dry up since this summer. Another main concern for the IT sector is the proposal to regulate data processors—such as application developers, Internet service or web hosting providers, which provide outsourced services to the actual data users that hold the personal data of the subjects. Previously, data processors were not regulated by the ordinance. With the advent of cloud computing, this is a void to be addressed. All users affected Should data processors be regulated directly by the ordinance, or indirectly—meaning the data user must “ensure that its data processors provide security protection to personal data at a level comparable to itself,” as required by the ordinance? Data subjects would have redress against data users, who would in turn have redress under contractual law with the data processor. There are many other areas in the consultation that will affect all businesses handling any type of personal data, including its customers and employees. For instance, should there be mandatory disclosure to data subjects in case of a breach? Also, the document proposes further empowering the Privacy Commissioner by making it an offense in cases of unauthorized obtaining, disclosure and sale of personal data—or repeated contravention of a data protection principle—and allowing the Commissioner to impose monetary penalty on serious contravention of data protection principles. However, the document also reveals some recommendations made by the Commissioner but not taken up by the government—the IT sector should consider whether IP addresses constitute personal data. While IP addresses by themselves won’t identify users, there are circumstances where combined with other data, IP addresses will be critical in identifying their users. It is unfortunate that the government has chosen not to even consult this important issue, which would produce better guidelines for the industry going forward. The Personal Data (Privacy) Ordinance consultation document is at http://www.cmab.gov.hk/doc/issues/PDPO_Consultation_Document_en.pdf and the deadline for responses is November 30, 2009. Published on Computerworld Hong Kong November 2009 Issue