Saturday, September 01, 2007

Should ISPs try to keep packets within the EU?

Changes to the US Foreign Intelligence Surveillance Act provoked an interesting discussion with some colleagues. Does European data protection law require in any way that Internet Service Providers keep intra-EU Internet traffic within European networks? After all, IP addresses are personal data and European organisations are not allowed to export personal data to countries (like the US) without adequate data protection law.

One colleague noted that Recital 47 of the Data Protection Directive (95/46/EC) specifies that ISPs are data controllers in respect of personal data added to communications that are "necessary for the operation of the service." Do they therefore have to ensure packets are only sent outside the EU when necessary for the performance of their contract with a user, or get explicit consent (Article 26 DPD)?

Another replied that peering/transit ISPs, who would normally be responsible for international links, cannot link IP addresses to customer identities — that can only be done easily by the customers' own ISP. Of course, those with access to the customer's ISP records can also make this link, which in the UK means a large part of the government.

It seems therefore that this question can only be answered by a very detailed examination of the "necessity" test as applied to ISP routing decisions, and how easily data may be linked to an individual to be defined as personal data under specific national laws.

No comments: