Some real scenarios from retail clients:

1) An account customer (#1) places an order online from home.  The retailer's firewall captures the IP address.  The stored account details include the customer's name, address, home and mobile telephone numbers and email address.  It is easily arguable that the IP address is the customer's Personal Data.

2) The customer's partner, also an account customer (#2), places an order online from home.  The retailer's firewall captures the IP address.  The stored account details include customer #2's name, address, home and mobile telephone numbers and email address.  Whose PD is the IP address now?  Both of them or neither of them?  It cannot be used as a unique identifier of either one of them, as it will point to both of them.

3) Customer #1 places an order online from their office, using a works PC.  The retailer's firewall captures the IP address.  That IP address has been previously captured for orders placed from the same office by other people.  Whose PD is the IP address?  Whose is it if no other purchases have been made from that IP address?  Is it the DC's PD if the firewall is run by a third party acting as a DC?  Is it PD if the firewall is run by a third party acting as a DP but collecting the data other than on the instructions of the DC - e.g., because the DC is ISO 27001 certified, it's "recommended practice" and anyway, "That's what firewalls do when 'Log' is turned on"?

4) Customer #1 places an order online from their office, using a COPE device.  The retailer's firewall captures the IP address and the MAC address of the device.  The IP address has been previously captured for orders placed from the same office by other people, but the MAC address is unique.  It is easily arguable that the MAC address is customer #1's PD.  But whose PD is the IP address?

5) Customer #2 places an order online from their office, using a BYOD device.  The retailer's firewall captures the IP address and the MAC address of the device.  The IP address has been previously captured for orders placed from the same office by other people, but the MAC address is unique.  The MAC address has been previously captured for orders placed from home.  Again, it is easily arguable that the MAC address is customer #2's PD.  But whose PD is the IP address?

6) Customer #2 places an order online from home, using the same BYOD device.  The retailer's firewall captures the IP address and the MAC address of the device.  Again, it is easily arguable that the MAC address is customer #2's PD.  But is the IP address customer #1's or customer #2's PD?

7) Customer #2 places an order online from home, using customer #1's COPE device.  The retailer's firewall captures the IP address and the MAC address of the device.  Whose PD is the MAC address now: customer #1's, customer #2's, both, neither?

8) Consider also the scenario where customers #1 and #2 occasionally purchase items from the same retailer using one payment card, for delivery to different addresses (joint main residence, flat in town, holiday home).  Whose PD is the card number (PAN)?  Whose PD are the addresses?

9) Suppose that over three years, customer #1 buys one item on the card costing £1, but customer #2 buys 300 items totalling £12,000.  Does this change the perception of whose PD the PAN is?

10) Suppose they both use the same email address - often used as a "unique" identifier.

Now imagine trying to respond to a SAR.  Customers tend not to believe you when you say, "Yes, we have a record of 301 items purchased on that card / using that email address / from that IP address / using that device, but we don't know whether it is your Personal Data or someone else's."  A couple of years ago I dealt with a particularly ticklish matter where a retailer had supplied a customer's purchase data in response to a SAR.  The data included all items purchased, the billing and (a number of) delivery addresses both (several) domestic and office, and the last four digits of the PANs used to make the purchases.  One of the cards belonged to a blood relative of the Data Subject - who had ordered an item for delivery to the address of the Data Subject.  Both complained.  The ICO had little perception of the challenges faced by the retailer in identifying a customer uniquely.  I am currently dealing with a matter where the supply of purchase data in response to a SAR has apparently uncovered an affair.  Two accounts were linked because the [married to each other] customers both had the title "Dr" and both had the same initial - no given names had been supplied - and family name.  The supply was addressed to "Dr I Lastname, [address]" and apparently opened by the other party who noted purchases of jewellery for delivery to the address of her best friend [truly!].

These are everyday issues for online and large retailers.  I know that they are less of an issue for utilities, and local and central government - where one is more commonly dealing with a *uniquely* identifiable individual assocated with a single address.

M

Grimbaldus Limited Registered in England 7071826
112 Weydon Hill Road, Farnham, Surrey GU9 8NZ
www.grimbaldus.com


-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Roland Perry
Sent: 31 January 2015 07:53
To: [log in to unmask]
Subject: Re: [data-protection] FW: Hawktalk: ECJ Ryneš ruling implies IP addresses are personal data in themselves

In message <[log in to unmask]>, at 10:00:57 on Fri, 30 Jan 2015, Chris Pounder <[log in to unmask]> writes
>
>My thoughts on IP addresses were triggered by the Ryneš ECJ case 
>(domestic purposes exemption does not apply to surveillance of public 
>places from a domestically installed CCTV). I think the Ryneš case 
>strengthens the argument that an IP address is personal data in many 
>instances

The Article 29 Committee has reported several times, over many years, that it believes IP addresses are personal data, and an explicit statement to this effect appears in the current DP reforms in Brussels.
--
Roland Perry

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^