Could IP addresses soon be considered "personal information" in Europe? The question was discussed yesterday at a hearing before the European Parliament's Civil Liberties Committee, where European data protection authorities and privacy advocates backed the idea. Google, not surprisingly, wasn't as thrilled.

Giving legal protection to IP addresses poses a host of problems for companies like Google that log massive amounts of data and want to know which machines it comes from. IP address tracking can help the company crackdown on click fraud, for instance, and it can help Google identify the general geographical location of many of its visitors.

But IP addresses don't match up with people, only machines, making them at best quasi-personal. As Google's Global Privacy Counsel Peter Fleischer told the Committee (PDF), "There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not; it depends on the context, and which personal information it reveals."

Marc Rotenberg, who heads the Electronic Privacy Information Center, argued that IP addresses are still quite personal and are likely to become even more so soon. "We are moving towards the IP6 model, for which it will be even more the case that IP addresses will be personally identifiable," he said.

The debate over IP addresses quickly morphed into a debate over the Google/DoubleClick merger, which the European Commission is currently examining. In his prepared remarks, Fleischer said that Google's success "depends on trust. If our users don't trust us, they won't use our services. And they won't trust us, if we don't protect their privacy."

But Carlos Coelho, a member of the EPP-ED, Parliament's largest bloc, argued that "trust between the user and the online service supplier cannot exist in a monopoly situation, yet Google's buyout of DoubleClick could create such a case."

If enough others subscribe to that view, it's not hard to imagine that stricter privacy laws (including regulations for some kinds of IP address collection) could follow.

Such a plan has the backing of one of Europe's most influential data protection advocates, Germany's data protection commissioner Peter Scharr. Scharr heads the EU's "Article 29 Data Protection Working Group," which advises the European Commission on data protection issues. According to the AP, Scharr told the Civil Liberties Committee that an IP address "has to be regarded as personal data" in situations where it can be used to identify someone.

Given Scharr's backing, this is an idea that could garner real traction in Europe. If it does, it's unlikely to prevent the collection of IP addresses (which are used for everything from busting child pornography suspects to finding file-swappers to blacklisting spam domains), but it would no doubt require databases of such addresses to meet certain security and retention standards.

Google has tried to get out in front of such issues by voluntarily making changes to its own retention policy and anonymizing IP addresses within 18-24 months.