Cyber Security Industry Alliance Newsletter •  Volume 3, Number 9  • July/August 2007

New Opinion by Article 29 Working Party on the Concept of Personal Data


The European Union Article 29 Working Party reasserts that EU IP addresses are considered personal data

The Article 29 Working Party comprised of the Data Protection Commissioners from the EU adopted a new opinion on the concept of personal data at its meeting on 19-20 June 2007.

The objective of the opinion is to come to a common understanding of the concept of personal data, the situations in which national data protection legislation should be applied, and the way it should be applied. The analysis of the definition of personal data has been conducted around the four building blocks of the European data protection directive (95/64/EC): "any information", "relating to," "an identified or identifiable" and "natural person", by means of concrete examples.

The opinion also addresses the issue of whether IP addresses are personal information. The Article 29 Working Party reasserts its opinion that in the EU IP addresses are considered data relating to an identifiable person and therefore constitute personal data.

This goes contrary to practice in the United States, for example, and has been contested by many in the ICT industry, e.g. Peter Fleischer, Google’s Global Privacy Counsel. He advocates that it should depend "on the context in which they are collected and how they are stored and processed" in order to determine whether it concerns personal data or not.

The Article 29 Working Party seems to take a more cautious approach by stating that "unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data."

Nevertheless, it does recognize that "where identification of the data subject is not included in the purpose of the processing, the technical measures to prevent identification have a very important role to play. Putting in place the appropriate state-of-the-art technical and organizational measures to protect the data against identification may make the difference to consider that the persons are not identifiable."

The Article 29 Working Party intends to develop further guidance on topics such as Identity Management, e-Health and RFID in the near future.

The Article 29 Working Party opinion on the concept of personal data can be found here: