On October 19, the CJEU handed down a decision in the Breyer case. The case arose from a complaint by Mr. Patrick Breyer, deals with whether dynamic IP addresses logged by a website are personal information, protected by privacy law.
The CJEU concluded that the answer to this is yes, provided that it was both technically and legally possible for the website operator to obtain information that could link that address back to an individual. The court expressly considered that the possibility of obtaining that information via a court order or a similar intervention by some other competent authority would meet this standard.
This decision has some significant implications both in Europe and in Canada.
First, and most obviously, it means that all websites subject to European Data Protection law need user consent, or some other legal justification, to log IP addresses. Once the General Data Protection Regulations (“GDPR“) comes into effect in 2018, this will include non-European websites that offer goods or services in the EU, or that track user behaviour in the EU (for example, for advertising purposes).
However, in the long term, the more important consequence may be to make it much harder to avoid privacy law obligations by de-identifying data. Effectively, the Breyer decision suggests that, if re-identifying information exists anywhere within the reach of a court order, that information must always be considered personal information in the hands of anyone who could possibly obtain such an order.
In Canada, the applicable legal test is whether there is a “serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.” [See e.g. Gordon v. Canada (Health), 2008 FC 258.] This test reflects the same concern about re-identification.
According to findings of the Privacy Commissioner of Canada, the test does not require that “someone would necessarily go to all lengths to actually do so”. But no decision to date in Canada has gone so far as to say that a hypothetical option to obtain a court order would be enough by itself to satisfy the “serious possibility” standard.
For instance, in a 2011 decision, the Privacy Commissioner rejected the argument that Facebook collected personal information when it logged the IP addresses of non-members who visited third-party sites using its social plug-ins. There was no evidence that Facebook had the capacity to link the IP address to an individual.
The logic of the Breyer decision could lead to the opposite result.
In the second part of the Breyers decision, the CJEU went on to also conclude that a law permitting media websites to collect users’ personal information without consent in order to facilitate and charge for the services, but requiring them to dispose of that information after the content was viewed, was inconsistent with the European Data Protection directive, because it was unduly prescriptive. Article 7(f) of the Directive requires a broader balancing of interests. The German law in question apparently failed to allow for the possibility that the website operator might have a legitimate interest in retaining the information for a longer period.
This leaves open the possibility that website operators (and others) can justify collection and retention of personal information about their users without consent based on such “legitimate interests”, which the CJEU suggests include the ability to defend against “cyber attacks”. Presumably, enforcement of IP rights would also be considered a legitimate interest. However, these interests must, according to the Directive, be balanced against the “fundamental rights and freedoms of the data subject”.
The CJEU has previously concluded that this balancing must be done on a case-by-case basis, rather than categorically, at least at the legislative level. It is not clear how such an assessment could be applied to IP address logging in practice. Nuanced balancing of interests is not usually a hallmark of scalable automated processes. But resolving this question will have to wait for another day.