CJEU Rules Dynamic IP Addresses May Constitute Personal Data

On 19 October 2016, the Court of Justice of the European Union (CJEU) ruled in the Breyer v. Germany case that dynamic IP addresses may constitute personal data within the meaning of the Data Protection Directive 95/46. This directive has been implemented into the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens or Wbp).

Below, we will explain briefly how the CJEU arrived at its decision and what this means in practice.

What are personal data?

In Article 2 of the Data Protection Directive the term ‘personal data’ is defined as follows:

Any information relating to an identified or identifiable natural person (…). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. 

The concept of personal data must be interpreted broadly. These include data that allow a person to be identified indirectly if these data can be linked to a specific person through the combination with other data. For example, it had been ruled before that telephone numbers, postal codes with house numbers and registration numbers of cars can be regarded as personal data.

Static and dynamic IP addresses  

The present case concerned the question whether dynamic IP addresses can in specific circumstances (which will be discussed below) be regarded as personal data.

To gain a clear understanding of the ruling issued by the CJEU, it is necessary to know what an IP address is. The abbreviation IP address stands for Internet Protocol address. The Internet Protocol is a set of rules used to allow computers in a network (like the Internet) to communicate with one another. In this network every computer is given a unique code. This code consists of a string of digits, which may look, for example, like 192.168.0.10. If a computer has a static or fixed IP address, this is always the same code. But if an IP address changes whenever there is a new connection to the Internet, it concerns a dynamic IP address.

At an earlier date, the CJEU ruled in the Scarlet Extended case that static IP addresses held by an Internet service provider (ISP) constitute personal data.

However, the present ruling differs from the earlier one on two significant points, because (i) it now specifically concerns dynamic IP addresses and (ii) the relevant IP addresses are not held by an ISP, but by the Federal Republic of Germany (the provider of online media services).

The case

Patrick Breyer accessed various websites of German federal institutions. These publicly accessible sites include topical information. As a defence against cyber-attacks and to enable the prosecution of the attackers, most of these sites register every visit in log files. After a visit to these sites, the IP address of the computer from which access to the site was sought, is stored in these log files. In this context Breyer brought an action against the Federal Republic of Germany and sought an order, inter alia, restraining the latter from storing his IP address after his visit to the websites, unless its storage was necessary to restore the availability of the website in the event of a fault occurring.

This claim was based on the assertion that Breyer’s IP addresses constitute personal data within the meaning of Article 2 of the Data Protection Directive and that the processing of these data by the Federal Republic of Germany lacks a legal basis. The Federal Republic of Germany, however, was of the opinion that these IP addresses do not constitute personal data and that it was not required to comply with the data protection legislation for this reason.

The German court of appeal ruled that a dynamic IP address, together with the time of access to the site, constitutes personal data only if the user of the website concerned has revealed his identity during the consultation period, for example by entering his name or email address. Only then can the operator of the website be able to identify the user by linking his name to the computer’s IP address. Both Breyer and Germany brought an appeal before the German Bundesgerichtshof (i.e. the Federal Court of Justice). Subsequently, the Bundesgerichtshof asked the CJEU whether Breyer’s dynamic IP addresses constitute personal data within the meaning of the Data Protection Directive and whether storage of these IP addresses after the consultation period is permitted.

The answer

Before answering these questions, the CJEU first specified the two facts underlying its decision, namely:

  1. the Federal Republic of Germany stores dynamic IP addresses, together with the date and time of access to the website; and
  2. the Federal Republic of Germany itself does not have the additional data that allow the user to be identified, but the ISP does have these additional data.

The CJEU determines that in any case the IP address cannot be used to identify a person directly, but that it must be examined whether a person can be identified indirectly with this dynamic IP address. For this purpose, account must be taken of all means that can reasonably be used by both the Federal Republic of Germany and any other person. This means that for information to be treated as personal data, it is not required that all information enabling the identification of the data subject must be in the hands of the same person.

Subsequently, it must be determined whether the additional data in the hands of the ISP can reasonably be used to identify the data subject. According to the CJEU, this is not the case if the identification of the data subject is prohibited by law or practically impossible, for example because it requires a disproportionate effort in terms of time, costs and manpower. This means that the same information may be personal data in the one case and not in the other case, depending on who processed this information.

Next, the CJEU determines that even though the ISP that holds the name and the address of the person linked to the PE address may not transmit these data to the Federal Republic of Germany unconditionally, there are legal channels that enable the latter to contact the Public Prosecution Service in Germany, particularly in the event of cyberattacks, so that the latter can then take the necessary steps to obtain this information from the ISP and bring criminal proceedings.

The CJEU concludes that the Federal Republic of Germany has the means which may likely reasonably be used to identify the data subject with the assistance of third parties – being the German Public Prosecution Service and the ISP – on the basis of the dynamic IP addresses stored. In short, Breyer’s dynamic IP addresses are personal data in the present case!

May IP addresses be stored after the consultation period?

The German legislation on which the storage of IP addresses after consultation of a website is based means that collecting and using the personal data of a user of online media services without the latter’s permission is permitted only to the extent that it is necessary to facilitate and charge for the user’s specific use of the website. The purpose of doing so is not guarantee the proper functioning of the website in general.

For this reason, the CJEU rules that the storage of IP addresses is not justified under the relevant German legislation because it has reduced the scope for balancing the objective of the provision against the opposite rights and  interests of the data subjects in a specific case. On the other hand, the CJEU underlines that the storage of IP addresses by providers of online media services may be permitted if the Federal Republic of Germany or a third party pursues legitimate interests in doing so. These legitimate interests may be maintaining the proper functioning of the government websites after each specific use of them. According to the CJEU, storage of IP addresses after the consultation period may be permitted, but not under the present German legislation.

What does this ruling mean in practice?

This ruling means that the concept of personal data must be interpreted more broadly than had been previously assumed. Even if the party who has collected the relevant data needs two other parties (the Public Prosecution Service and the ISP) to obtain additional data, which, combined with the IP address, allow the person concerned to be identified, these data can constitute personal data.

But why is it so important whether any information is to be regarded as personal data?

This means that the data protection legislation applies to the processing of these data. That means, inter alia, that there must be a legal basis underlying the collection of these data, that these may not be stored unconditionally and that the controller (the party that controls the processing of personal data) has a number of obligations. The main points will be outlined below.

  1. Legal basis

The basis may be the data subject’s consent, but, for example, also the controller’s legitimate interests or the execution of a public-law duty.

  1. Principle of purpose limitation and data storage period

The personal data collected may not be further processed for incompatible purposes and may not be stored for the purposes for which they have been collected longer than necessary.

  1. Duty to provide information

Controllers must disclose their identity and the purposes of the processing to data subjects in advance.

  1. Notification obligation

The controller must notify the supervisory authority – the Dutch Data Protection Authority – of the processing of personal data.

  1. Security

The controller must implement technical and organizational security measures to protect personal data against loss or any unlawful forms of processing.

  1. Notification obligation regarding data breaches

The controller must, without delay, notify the Dutch Data Protection Authority and, in some cases, the data subjects of any data leak. A data leak is deemed to exist if there is a security breach that results in a substantial probability of serious adverse consequences for the protection of personal data.

  1. Data processing agreement

The controller is under a legal duty to enter into a contract governing the processing of personal data by a processor.

Contact

Would you like to know more about the scope of the concept of personal data? Or the consequences of this ruling for your own business operations?

Please contact Huub de Jong or Tom de Wit.

 

Written by Huub de Jong and Lisa Molenaars