Advocate General Campos Sánchez-Bordon has given an opinion on whether dynamic IP addresses can constitute personal data under the Data Protection Directive 95/46/EC.
The issue arose in proceedings Patrick Breyer, a privacy activist, brought against the German Government concerning the retention of his dynamic IP address by government websites.
IP addresses are numerical labels assigned by Internet Service Providers (“ISPs”) to specific devices (such as a computer or a smart phone) connected to the internet. ISPs assign temporary “dynamic IP addresses” to their users for each internet connection and change them when subsequent connections are made. They also retain records of assignments to a particular device at a given time. Websites that are accessed using dynamic IP addresses also tend to keep records of the webpages that have been accessed, when and from which dynamic IP addresses. However, German domestic law only allows website providers to process personal data after access for invoicing purposes or in circumstances where the user has consented. This is less generous than the Data Protection Directive 95/46/EC which allows data controllers to justify the processing of personal data if it is necessary for the purposes of the legitimate interests pursued by the controller e.g. a legitimate business. Website providers cannot usually identify a user by dynamic IP address alone, but can if the address is combined with the information held by an ISP.
Mr Breyer argued that the storage of dynamic IP addresses by the German Government websites constituted the processing of personal data under the Data Protection Directive 95/46/EC. Such processing of personal data is generally unlawful, unless it is justified, for example by a previously given consent. The German Government maintained that dynamic IP addresses do not reveal an “identified” person and that they can only constitute personal data in circumstances where it would likely be reasonable for the website provider to obtain information from a third party to use in conjunction with the IP address to identify the user. To identify Mr Breyer, it would be necessary to obtain information held by the ISP, which, without a legal basis, it cannot provide to website providers. The German Government also submitted that the dynamic IP addresses are stored by the websites with the aim of preventing cyberattacks and prosecuting attackers.
Article 2 of the Data Protection Directive 95/46/EC: “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Recital 26 of the Data Protection Directive 95/46/EC: “on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) states that to determine whether a person is identifiable, "account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person ..."
Article 7 of the Data Protection Directive 95/46/EC: “Member States shall provide that personal data may be processed only if”…. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).”
Questions referred to the Court of Justice of the European Union
The German Federal Court of Justice referred two questions to the Court of Justice of the European Union (“CJEU”):
1. Is a dynamic IP address with time of access, through which a user accessed a web page, "personal data” for a website provider, where the ISP has the additional information required to identify the data subject.
2. Does Article 7(f) of the Data Protection Directive 95/46/EC prohibit national law that seeks to limit the extent a website provider may justify its processing of personal data.
The Opinion of the Advocate General
The Advocate General responded as follows:
1. A dynamic IP address for a website provider constitutes "personal data", to the extent that an ISP has other additional data which could facilitate the identification of the user.
2. National legislation that does not allow a website provider to justify its processing of personal data for the purpose of pursuing its legitimate interests is incompatible with Article 7(f) of the Data Protection Directive 95/46/EC.
The Advocate General’s view is that in so far as a dynamic IP address helps to determine, either alone or in conjunction with other information, the owner of the device that accessed a particular webpage, it may be information relating to an "identifiable person" and therefore constitutes personal data. The Advocate General stated when reaching his decision that the ISP is a main player in the structure of the internet who is known with certainty to be in possession of the data required by a website provider to identify a user of the website. It is reasonable to think that the website provider may approach the ISP to obtain the information it would require to identify the user. It is the practical possibility that the data may be transferred, which is perfectly “reasonable”, that transforms the dynamic IP address into personal data for the website provider.
The Advocate General also recognised that Article 7(f) of the Data Protection Directive 95/46/EC is more generous than German domestic law in authorising use of personal data for the purposes of a data controller's legitimate interests. German domestic law should be interpreted to allow a website provider to justify the processing of personal data where it is necessary for the legitimate interests it pursues. In this case its legitimate interest is ensuring the proper functioning of its websites, though it will not be able to justify the processing where the legitimate interest is overridden by the interests or fundamental rights and freedoms of the user.
The Advocate General pointed out that the case was a novel one for the CJEU. In a previous case, Scarlet Extended SA v Societe, Case C-70/10, the CJEU stated that IP addresses ‘are protected personal data because they allow those users to be precisely identified’, however this was in a context in which the collection and identification of IP addresses was carried out by the ISP, not by a website provider.
An opinion by the Advocate General is not binding on the CJEU but it is persuasive.
Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016