The foundational concept in EU data protection law is that of ‘personal data’, and yet its meaning is not entirely clear. In the recent Breyer case, the German courts sought clarification from the EU’s highest court, the Court of Justice of the European Union (the “Court”), on the status of dynamic IP addresses. Mr Breyer, alleging that dynamic IP addresses constituted his personal data, challenged the collection, use and storage of IP access logs on German state-owned websites.
Last month, we analysed the Opinion of the Advocate General, the independent advisor to the Court. The Court’s judgment now provides us with additional guidance on what is personal data, but unfortunately the position still lacks clarity. We now look at the significance of the Court’s judgment.
What is personal data?
Determining whether information is ‘personal data’ is the first step towards applying data protection law. Only personal data is safeguarded by data protection law. In short, personal data is information which relates to an identified or identifiable living individual. It is the latter half of the definition – what is ‘identifiable’ – which causes headaches for many organisations.
For example, “John Murphy is a great customer” is clearly personal data as the statement identifies John Murphy. By contrast, “Customer 12345 is a great customer” does not specifically name John Murphy. However, for the business that sells to John, it might be clear who Customer 12345 is. The alias “Customer 12345” is what we might call an identifier or pseudonym. Customer 12345 may be identified as John Murphy, but only with the benefit of the customer list or other information connecting the number with the individual.
In other words, if information can be combined together to identify an individual, it may be deemed to be personal data. However, the question for the Court was to determine whether certain information may be personal data to Company A, which has all data, and not be personal data to Company B, which only has a sub-set of that data? Previously, the Irish High Court found that IP addresses are personal data in the hands of an internet service provider, but not in the hands of a record label.
Are dynamic IP addresses personal data?
A recurring question related to the status of IP addresses. An IP address is a string of identifying numbers, which allow the transmission of information online to a specific individual and device. Dynamic IP addresses, the subject of this case, change frequently and may be assigned to different devices over time. Therefore, certain organisations (like the internet service providers, which assign the addresses) will know the identity of the device and the associated subscriber to which a dynamic IP address has been assigned at any given time. Others, like website providers, will only have the dynamic IP address and the dates and times of access.
In this context, the Court focused on the idea that information could indirectly identify an individual. Building on this, the Court confirmed that in order for information to be ‘personal data’, all of the information that would enable identification did not need to be in the hands of the one person. As a result, the question of whether a website provider could legally obtain the necessary information, without disproportionate effort in terms of time, cost and man-power, will inform whether it is ‘personal data’ in the hands of the website provider.
Therefore, according to the Court, ‘personal data’ is relative. A specific, fact-based analysis is needed to assess the relevant information held by each relevant organisation. In order to assess whether an organisation stores or uses personal data, one should ask whether it has or can obtain the information to identify the individual in question without ‘disproportionate effort’.
Restricting legitimate interests
It’s worth briefly highlighting the second part of the Court’s judgment, which examined the scope of the ‘legitimate interests’ ground for processing data. Under data protection law, organisations must be able to show a legal basis to justify their use of personal data. Although there are a variety of options here, consent and the organisation’s legitimate interests tend to be the most frequently used.
The Court considered that an aspect of German law improperly restricted the scope of the ‘legitimate interests’ ground, and the ability of data controllers to rely on this ground. The Court came to the conclusion that it was defensible to use the logs of dynamic IPs in order to secure and protect websites from fraudulent activity and attacks.
Unfortunately the case does not establish a black and white answer for determining what is considered ‘personal data’. Certain information remains within somewhat of a grey area. However, we do have a degree more clarity than in the past. It is worth noting that the General Data Protection Regulation contains an expanded definition of personal data, which specifically includes online identifiers, like IP addresses. Nevertheless, the issue is not closed. It would not be surprising to see a future request for clarification from the Court on what constitutes a ‘disproportionate effort’ to combine data sets.