Johnson, et al. v Microsoft: Court Docs on Motion Ruling IP Address Does Not Equal PII
For those interested in digging deeper into the recent ruling in the UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON, SEATTLE DIVISION that IP addresses do not constitute "personally identifiable information," I have complied all of the relevant pleadings, motions, and response/reply/surreply briefs for your viewing pleasure....
- 2nd Amended Complaint
- Microsoft's Motion for Summary Judgment
- Plaintiffs' response to MSJ
- Microsoft's reply to plaintiffs' response
- Plaintiffs' surreply to Mircosoft's reply
- Court Order Granting MSJ (holding IP address is not PII)
For some more interesting reading on this issue, check out Truste's Amicus Brief in the Klimas case. How about some insightful comments in this blog to save me some reading time!
By the way, how to advise clients doing business in both the United States (where at least some courts dont consider IP as PII) and EU (where IP is considerd PII)?
Trackbacks (0)
Links to blogs that reference this article
Trackback URL
http://www.infolawgroup.com/admin/trackback/163607
http://www.infolawgroup.com/admin/trackback/163607
Post A Comment / Question
Use this form to add a comment to this entry.
Send To A Friend
Use this form to send this entry to a friend via email.
Thanks for taking time to pull all the links together. I've just skimmed the amended complaint and the ruling. I'm notsurprised about the decision to allow the push of additional software (WGA), but I find it mind-boggling that the judge would rule that the IP address is not PII. The argument that the definition of PII is not part of the EULA doesn't seem to hold up, particularly since the defendents presented a definition directly from Microsoft's own Glossary on their own security website. (As I understand it, the IP address is also part of the definition of PII in Microsoft's internal privacy documentation.)
The argument that an IP address is not like a street address or social security number because it doesn't identify an individual ON ITS OWN also seems suspect. A GPS transmitter doesn't have a label indicating me as it's owner, but it nonetheless will provide you my location and specific identification of me if you have a person or a camera in that location. There is plenty of data aggregation power out there to make this a pretty simple nut to crack, particularly if you can subpoena ISP records.
So presuming the judge messed this one up, will anyone get a chance to set this straight? Or does it just become a bad precedent?
Looking forward to reading more comments by the experts!