ISPs: data controllers as well as mere conduits? Does this make sense? What do we do with the e-privacy Directive if we care? – Sophie Stalla-Bourdillon

So here we are, the English Court of Appeal, as it has been explained by Alison Knight in her post, has recently held in the Google v Vidal-Hall case, among other things, that there was a serious issue to be tried that Browser-Generated Information (“BGI”) is personal data under the Data Protection Act 1998 (“DPA”), which strictly does not mean that BGI is personal data but it transpires from the decision – concerning an application to serve outside jurisdiction – that the judge could be convinced by such an idea at full trial.

How is this possible?

Paragraph 115 is worth mentioning since it encapsulates the core of the Court’s reasoning:

“If section 1 of the DPA is appropriately defined in line with the provisions and aims of the Directive, identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user. The BGI singles them out and therefore directly identifies them for the purposes of section 1(1)(a) of the DPA…”.

But what is BGI?

This is the definition that is given by the Court :

“BGI information comprises two relevant elements: (a) detailed browsing histories comprising a number of elements such as the website visited, and dates and times when websites are visited; and (b) information derived from use of the ‘doubleclick’ cookie, which amounts to a unique identifier, enabling the browsing histories to be linked to an individual device/user; and the defendant to recognise when and where the user is online, so advertisements can be targeted at them, based on an analysis of their browsing history”.

In passing, in paragraph 137, this case is also described as a case about

“the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months”.

In the appendix to the judgment, i.e. in the general particulars of claims, it is explained that BGI usually comprises the following elements:

“(a)    the type of browser (for example, the browser known as “Safari” which is further described at paragraph 5 below);

(b)     the operating system of the computer or device;

(c)       the address of the website the browser is displaying;

(d)      the computer or device’s screen resolution; and

(e)   the IP address from which the computer or device is connected to the internet”.

So, assuming for a minute that BGI is personal data, the processing of BGI is thus regulated by the Data Protection Directive and its national transpositions such as the DPA.

This said, the data controller is the one under Article 17 of the Data Protection Directive who bears the obligation to

“implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing”.

If Google is deemed a ‘data controller’ of BGI as personal data, and this comprises personal identifiers stored on internet-accessing equipment, however, this raises the question whether Google does in fact have full control over the security of BGI in that context (as a data controller should in fulfilling its data protection obligations) or not.

More importantly, if Google is a data controller, it surely has to comply with the principle of data minimisation. But once again resorting to the principle of data minimisation could seem awkward as it would seem that to send relevant ads you need to know as much as you can about the data subjects… (Is this really always true by the way?). This is why it might be vital to give a meaningful choice to data subjects so that they can decide whether and to which extent they want relevant ads.

Now what is really interesting is that Google is not the only one collecting or processing BGI or similar information. Communications data sometimes also called metadata [although this assimilation is misleading as we have tried to demonstrate it in a previous post] are very similar to BGI. Communications data include IP addresses and domain names (although full URLs are excluded)…

As a result, is it arguable that ISPs generating and retaining communications data (be they “forced” to do so or not) are also acting as data controllers. If that was the case, ISPs would be both data controllers and mere conduits… (but mere conduits only when it comes to content data though, assuming communications data are not content data… which is where it gets very very muddy see here).

Assuming for a minute that ISPs are data controllers in relation to communications data, they would bear security obligations in relation to this personal data as per Article 17 of the Data Protection Directive. By comparison, obligations under Article 4 of the e-Privacy Directive appear broader in scope and do not seem to specifically target data controllers as it provides that

“The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security”.

Let’s pause for a second…. Everyone certainly remembers that just before the Google Spain” Costeja” judgement, the Court of Justice of the European Union had declared the Data Retention Directive invalid.

And in relation to security and protection of data here are its words:

“Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down”.

So I am wondering, by declaring the Data Retention Directive invalid, is the CJEU implying that the e-Privacy Directive combined with the Data Protection Directive is not of great quality as well, as it does not provide for stringent security measures? Or are the stringent security measures to which the CJEU alludes only relevant when the communications data are retained for the purposes of detecting or preventing serious crimes? Does it really make sense to distinguish between these two scenarios?

One last question: if ISPs have then to abide by the principle of data minimisation, to what extent do retention obligations make such compliance impossible?

If ISPs “only” have to retain what they generate or process (see Art. 1 of the defunct Data Retention Directive), does it mean that they only have to retain what they decide to log? I am afraid that this interpretation would not be very successful, as it would then suffice to ask ISPs to log very little to make retention obligations ‘empty shells’….What does generating or processing really mean in this context [the ‘or’ in the middle is quite intriguing as processing within the meaning of the Data Protection Directive has been defined very broadly]?

Answering this question might help to determine the real implications of DRIPA by the way (see here).

But “with too many “if” we could put Paris and Marseilles in the same bottle!” some might say…

Sophie Stalla-Bourdillon is Associate Professor in Information Technology and Intellectual Property Law at the University of Southampton

This post originally appeared on the Peep Beep! blog and is reproduced with permission and thanks