European Court of Justice defines personal data

20. October 2016

The European Court of Justice clarified the definition and the scope of personal data.

The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.

In detail, the European Court of Justice concludes:

  • According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
  • The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
  • Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.

Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?

However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.