Website providers that collect dynamic Internet Protocol addresses (“IP address”) from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.

Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, “ECJ”) released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.

Online activity of Internet users—such as analytics information tied to IP addresses—is often collected and used by website providers for purposes such as marketing and website optimization.  Such information is often collected and retained for a longer period of time without acquiring the individual’s consent even though consent may be required. This opinion is of paramount interest for any such website provider.

Under EU privacy law it has long been debated whether a dynamic IP address qualifies as “personal data” even if it alone does not enable the recipient to identify the user. EU Directive 95/46/EC states in its Recital 26: “(26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;…”;

So far, it is highly disputed whether information in the hands of a third party such an internet access providers is “likely reasonably to be used by” for example, a website provider.

For example, the German Data Protection Authorities classify IP addresses as personal data in general while many legal scholars and also the German courts tend to take a more fact specific view and regard IP addresses as personal data only if they believe that the entity collecting the IP address also has reasonably easy access to additional information that allows the identification of the user. Also on the EU level, most often, IP addresses are considered personal data and the upcoming General Data Privacy Regulation confirms this view.

However, even before the General Data Privacy Regulation comes into force, the debate may soon come to an end.  The Advocate General’s opinion was delivered in a case that was referred to the ECJ by German Federal Supreme Court (Bundesgerichtshof, “BGH”). The German politician Patrick Breyer lodged a case against the German government requesting it to stop storing dynamic IP addresses from visitors to German government websites for longer than was necessary to deliver the website content. The government stores IP addresses in log-files for a longer period in order to enable the identification and prosecution of attackers and hackers. Breyer argues that the IP addresses could be linked back to him and would thus constitute personal data.  The Advocate General’s opinion agrees with this argument, and while not binding on the ECJ, is likely to be highly persuasive to the ECJ.

In a ruling rendered on 17 December 2014, the BGH referred the following questions to the ECJ:

  1. Whether, under Article 2a of the EU Data Protection Directive 95/46/EC, an IP address is personal data when the IP address is stored by a website provider and a third party (e.g., an internet access provider) possesses sufficient additional data to identify the user.
  2. Whether Art. 7f of the EU Data Protection Directive is contrary to a provision in a national member state’s law according to which a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the national member state’s law states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.

For the first question, according to the Advocate General, IP addresses that a website provider stores when its website is accessed by website visitor constitute personal data under EU data protection law, even if additional information necessary to identify the data subject is only in the possession of the internet access provider. Contrary to the view of the Federal Republic of Germany, which argued that such third party knowledge was not relevant since the internet access provider would only be permitted to disclose such information in very limited situation, the Advocate General argued that possession by the access provider was relevant and decisive. The Advocate General argued that even such limited situation of data disclosure by the website provider would be sufficient to assume that such knowledge of the website provider would be “means likely reasonably to be used by third parties” (see no 26 of the recitals of EC Directive 95/46/EC).

This is a fairly broad view of third party knowledge, as a website operator has only very limited means to request such information from an internet access provider.

For the second question, the Advocate General stated that EU Member States cannot completely forbid the retention of IP addresses where they are retained for the legitimate interest of a website operator to enable the use of its website.

If the ECJ’s final decision follows the Advocate General’s opinion, it would mean that:

  • Any recording, storage or use of dynamic IP addresses by website providers beyond the period of use for a clearly defined purpose would require consent of the Internet user, unless the website service provider can demonstrate that the retention of IP addresses is necessary to ensure proper functioning of such website.
  • Website providers that have before relied on the assumption that dynamic IP addresses are not personal data and as such not covered by EU data privacy law would have to rethink and re-evaluate the processing of IP addresses and the ways to achieve their data privacy compliant processing.