CORRECTED: Anonymous web data can be personal data

The Register has a story on a fascinating legal analysis by Chris Pounder of Amberhawk Training (report here, pdf) as to how identifying yourself as being the individual associated with a particular IP address might be used to force companies such as Google and Yahoo to treat your data as being under the UK Data Protection Act. According to the report:

This analysis is valid for countries where the national data protection legislation is based on the Data Protection Directive 95/45/EC or on the OECD Guidelines; Google’s privacy policy suggests that the analysis applies to it.

According to the report’s overview (but see CORRECTION, below)

In outline, an individual user can, at any time, send an Internet service provider his name, address, time the service was used, and any relevant URL, reference number or IP address associated with that user session. If this information is sent, then the service provider possesses all the identifying information needed to link any related service data or profiling data derived from a user session to that individual. That individual has become unambiguously identifiable and any further processing of the personal data related to the user session will engage the usual data protection obligations.

As more and more users of a service send a service provider these details, there will become a threshold of user contact after which a service provider should assume that personal data are processed on ALL users of a service without the need for user identifying information to be sent. This is because the rate of user contact is such that a service provider can anticipate that he is likely to be sent the identifying information about an individual user.

Report: IP ADDRESSES, REFERENCE NUMBERS, URLs AND THE UK’s DATA PROTECTION ACT 1998

CORRECTION: The correct url for the report is http://www.amberhawk.com/. See Chris’s comment, below, that the first four pages were changed.