IP addresses have significant implications for personal privacy: if connected to a particular subscriber, they can reveal a vast range of online behaviour. The question of whether IP addresses are ‘personal data’ under a data protection regime is therefore critical, as such a classification greatly limits the usage to which those addresses can be put absent user consent.
This paper critically reviews the approaches taken to the question of whether IP addresses ought to be classified in this way in Hong Kong and in the European Union (‘EU’). Jurisprudence related to the EU Data Protection Directive and the forthcoming General Data Protection Regulation both treat IP addresses as ‘personal information’. This results in robust protection for IP addresses under European law. In Hong Kong, however, the jurisprudence is limited to two lower court decisions that are inconsistent with one another, and neither show a deep appreciation for the importance IP addresses may have in revealing the behaviour and activities of Hong Kong residents online. The Privacy Commissioner for Personal Data has likewise not shown an interest in challenging the approach taken by the courts thus far regarding this issue.
Noting this relative lack of attention, this paper introduces the Access My Info: Hong Kong (‘AMI:HK’) project. AMI:HK is a platform for users to make data access requests to telecommunications service providers in Hong Kong. The project should reveal if there is consistency in the Hong Kong providers’ approach to their access obligations under the Personal Data (Privacy) Ordinance, in particular the question of whether they treat IP addresses as personal data within the meaning of the law.
© 2012 Journal of Law, Information & Science and Faculty of Law, University of Tasmania.