On 19 October 2016, the Court of Justice of the European Union (“CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland.
The case arose when Mr Breyer, a member of the German Pirate Party, challenged the storage of dynamic IP addresses by state-owned websites for security purposes. The case went up to the German Federal Court, which referred two questions to the CJEU:
1. Does a dynamic IP address constitute personal data?
What is a dynamic IP address?
A dynamic IP address is an IP address which changes each time there is a new connection to the internet. A website operator can principally not identify the user on the basis of its dynamic IP address alone. Identification is only possible in combination with additional data held by the website operator’s internet service provider (“ISP”).
Definition of personal data
Personal data is data that allows a website operator to directly or indirectly identify an individual.
The CJEU relies on recital 26 of the Data Protection Directive and emphasizes that, to determine whether an individual is identifiable, account should be taken of “all the means likely reasonably to be used either by the controller or by any other person to identify an individual”.
Does a dynamic IP address constitute personal data?
The CJEU notes that, in the present case, there appear to be legal channels in Germany that enable website operators (i.e. German federal institutions) to contact the competent authority, in particular in the event of cyber attacks, so that the competent authority may take the necessary steps to obtain from the ISP additional information on the user and subsequently initiate criminal proceedings. The CJEU concludes that, because German federal institutions appear to have the legal means which may likely reasonably be used to identify the user, with the assistance of the competent authority and the ISP, on the basis of the IP addresses stored, these (dynamic) IP addresses constitute personal data.
2. Can a national law restrict the legitimate interest ground?
The CJEU rules that German legislation which does not allow for the storage of personal data after consultation of an online medium in order to ensure the general operability of that medium excludes the possibility of performing the ‘legitimate interest’ test (i.e. in the present case, to balance the objective of ensuring the general operability of the website against the interests or fundamental rights of website users). Such a provision is incompatible with the European Data Protection Directive.
What impact will this judgment have on businesses?
On one level, Breyer tells us something that we already know: IP addresses may, under certain circumstances, constitute personal data. What is less clear is the scope of this decision.
In fact, the CJEU’s decision in Breyer seems to be entirely in line with the Working Party 29’s 2007 opinion on the concept of personal data, in which the Working Party emphasizes that “especially in those cases where the processing is carried out with the purpose of identifying the users of the computer (for instance, by copyright holders in order to prosecute computer users for violation of IP rights), the controller anticipates that ‘the means likely reasonably to be used’ to identify the person will be available, e.g. through the courts appealed to (otherwise the collection of personal data makes no sense), and therefore the information should be considered personal data”.
In the present case, German institutions store IP addresses for the purpose of preventing cyber attacks and prosecuting ‘pirates’. For this specific purpose, German law allows German federal institutions to obtain the required additional information from the ISP. The (legal) means likely reasonably to be used to identify the pirates are thus readily available.
In many instances, however, IP addresses are not processed for the purpose of identifying the individual. Importantly, the CJEU also rules that dynamic IP addresses do not constitute personal data if identification of the user is prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant.
In summary, it is questionable whether the CJEU’s Breyer decision will have a big impact on companies’ processing of online identifiers. If the purpose of the processing of online identifiers is not to identify the individual and if identification on the basis of those online identifiers is either prohibited by law or disproportionally difficult, it seems unlikely that these online identifiers would constitute personal data.