Update to the case of Antipiratbyrån (APB), an anti-piracy organisation supported by copyright owners that breached data protection laws during their hunt for file-sharers by handling, on a large scale, IP addresses and other user-related information.
Click here to read the first article on this case.
APB used a special computer program to track down computers used for sharing copies of copyright protected works such as movies and computer games. By collecting information about IP addresses, aliases, filenames, connected servers etc. and then forwarding the information to the police and internet service providers, APB intended to call upon the police and providers to take action against the illegal file-sharing.
According to the Data Protection Act (the “Act”) only authorities, with some exceptions, have the right to register personal data relating to criminal offences. A company that needs to register such personal data as part of their business can apply to the Swedish Data Inspection Board (the “Board”) for a special permission to do so.
APB did not regard their actions as a processing of personal data, and therefore had not applied to the Board for a special permission to handle this personal data.
IP addresses are personal data
After receiving thousands of reports from people opposing to the methods used by APB, the Board examined the matter and found that an IP address is personal data when someone, for example an internet service provider, can relate the information to a person. This means that the Act is applicable and since APB had not applied for a special permission to handle this type of personal data, the processing of the information was in conflict with the Act. The Board did not consider whether the general conditions for a special permission for APB to process personal data were met or not. The Board’s decision was published on 8 June 2005.
Comments on the decision
After the decision was published, representatives from APB said that the organisation would apply for special permission. The representatives also stated that if APB’s processing of IP addresses was in conflict with the Act, the same conflict arises with the use of firewalls that log IP addresses. The Board responded in a magazine article to this criticism. The Board said that no formal examination of the use of firewalls has been conducted but that it must be stressed that not all registration of IP addresses is prohibited and that the interest of protecting information on a computer by using a firewall is different from APB’s interest of registering criminal offences.