20. October 2016
The European Court of Justice clarified the definition and the scope of personal data.
The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.
In detail, the European Court of Justice concludes:
- According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
- The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
- Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.
Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?
However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.
18. May 2016
Background
In 2014, Mr. Breyer filed a suit against the Federal Republic of Germany regarding the storing of IP Addresses. Several German public bodies operate internet websites that are publicly accessible. In order to avoid and be able to prosecute criminal attacks, the access to these websites is protocolled, including names, retrieved data/website, words searched in the search fields, date and time of retrieval, data transmitted and the IP Address of the device in question.
Mr. Breyer requested that neither the Federal Republic of Germany nor third parties store the IP Address of users that accesses these websites, as there was no consent for this processing and the storage was not based on the recovery due to a disruption of the service.
Prejudicial question from the German Federal Supreme Court (Bundesgerichtshof)
The suit from Mr. Breyer was dismissed in the First Instance. However, the appeal succeed partly and the Federal Republic of Germany was sentenced not to store IP Addresses for a longer period of time than that of the access in question. Though, this was subject to the condition that Mr. Breyer provided his personal data when he accessed the website. Both parties appealed to the German Federal Supreme Court, who submitted the following questions to the ECJ:
– Question 1: Must the Data Protection Directive 95/46/EC be interpreted as meaning that an Internet Protocol address (IP Address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
– Question 2: Does the Data Protection Directive 95/46/EC preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?
Position of the ECJ General Advocate
The ECJ General Advocate answers the above questions as follows:
– To question 1: A dynamic IP Address, through which a user has retrieved a website from a telemedia service provider, constitutes for the latter a personal data to the extent that the service provider has enough additional information, which connected with the IP-Address makes possible to identify the user. Dynamic IP-Addresses contain information regarding the time and date in which a website was accessed from a device. This data can provide information about behavioural patterns that can affect the right to privacy of individuals. Additionally it can also provide additional information about a user if it is connected to other personal data.
– To question 2: The finality to guarantee the operability of the telemedium should be basically seen as a legitimate interest that justifies the processing of an IP Address. This legitimation can be only alleged if it has primacy over the fundamental rights of the data subject. A national legal disposition that does not allow such legitimate interest, is not consistent with the Data Protection Directive 45/95/EC.
What to expect regarding IP addresses with the GDPR?
The problematic of the IP Addresses may be solved with the GDPR, as the Recital 30 enumerates, among others, also IP addresses as examples of personal data. As such, they can lead to identify an individual if combined with other information, therefore they fall under the scope of the GDPR and they are to be handled as personal data.
