Personal data protection, case I OSK 1079/10

February 5th, 2010, Tomasz Rychlicki

According to lawyers representing the singer Maryla Rodowicz, on the forum of one of the Polish portal websites appeared entries with the content which allegedly violated her personal rights (interests). The lawyers requested the owner to reveal IP addresses of users who posted these entries. The administrator of the portal website deleted the disputed entries but did not reveal any of the IP addresses. Lawyers filed a request to the Inspector General for Personal Data Protection (GIODO), who ordered the portal to disclose IPs on the grounds that these numbers are personal data. The owner of the portal again refused. The case went to the Voivodeship Administrative Court (VAC) in Warsaw, which in a judgment of 3 February 2010, case file II SA/Wa 1598/09 upheld the decision of the GIODO. The company who owns the portal may file a cassation to the Supreme Administrative Court (SAC). The VAC judgment provides the interpretation that IP address is a personal data, in accordance with the statutory definition included in article 6 of the Polish Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with later amendments.

Article 6
1. Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person.
2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

The VAC also noted that the IP address is personal data if it is permanently assigned to the specified device, and that device is used or operated by a specified entity. This dependence makes certain, in given situations, that there is the possibility of identifying such entity. The Court said that it is true that the IP address itself is not sufficient to identify a person who use it, but together with other information a person can be identified. Grupa o2, the owner of a portal website filed a cassation complaint.

The Supreme Administrative Court in its judgment of 19 May 2011 case file I OSK 1079/10 dismissed the complaint and decided that information on the date and contents of the posts that are correlated with IP addresses, allows for unambiguous determination of identity of persons who have violated someone’s personal interests.

There was another court’s decision with regard to the aforementioned case and the disclosure of IP addresses. See “Telecommunications law, case I OSK 1079/10“. The U.S. courts and judges have quite different views on this issue. Read for example Johnson v. Microsoft Corp., 2009 WL 1794400 (W.D. Wash. June 23, 2009).

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.