A top EU official has raised the prospect that IP addresses could be counted as personal data.
Speaking at a hearing examining Google's planned acquisition of DoubleClick, Peter Schaar, the German data protection commissioner and chairman of the Europe-wide privacy group, the Article 29 Committee said that if a person could be identified by an IP address, then that address is private.
This has been the rule in most countries in the EU for more than 10 years. However, it is hard to set a clear-cut rule because some ISPs give out fresh IP addresses to subscribers each time they go online and people also buy time online at Internet cafes.
The Article 29 Committee has been examining the question of IP addresses as part of its analysis of how search engines respect European data protection rules. It is expected to reach some conclusions by mid-June, according to an official working for the committee who asked not to be named.
The committee cannot fine transgressors of EU data protection rules, nor can it propose legislation, but it can prompt the European Commission to do so.
Internet search companies, including Google, argue that an IP address merely locates a computer rather than identifying who is sitting at that computer. Treating IP addresses as personal information would have implications for how search engines record and use people's data.
If the committee persuaded lawmakers to toughen IP address protection in Europe "that would definitely change things [for search engines]," said John Steinback, a spokesman on policy matters for Google.
From Google's perspective, whether an IP address is personal depends on the context, Steinback said. An ISP can link an IP address to a subscriber, but a website visited by the person using a specific IP address cannot link the address to a person, he explained.
The European Parliament hearing was convened by the assembly's civil liberties committee to assess whether citizens' privacy would be harmed by Google's planned acquisition of Internet advertising company DoubleClick. The deal, which has already been given the green light by US regulators, is under investigation by European Commission competition officials. However, like its US equivalents, the Commission won't consider the privacy question.
Nevertheless, if data being collected for one purpose by one of the companies is then handed over to the other company for use in a different way, European data protection officials would be obliged to intervene, said the official close to the Article 29 Committee.
"Google will have to respect all the obligations of DoubleClick, including its data protection obligations," the official said. If the two databases are to be used for the same purposes, then they would be deemed compatible and could merge. "But if there was an incompatibility between the two databases, then they couldn't be merged," he said.
The European Parliament's civil liberties committee said it would be holding more seminars to examine the issues surrounding data protection in the months and years to come.