In the ever changing world of data protection, the concept of personal data has been broadened further by the CJEU's recent ruling in the Breyer case. The Court confirmed that a dynamic IP address can constitute personal data. More generally, it clarified that a piece of data held by an organisation which cannot, in and of itself, be linked by that organisation to an identifiable individual, may constitute personal data if that organisation has the legal means which enable it to identify the data subject by combining the data with other information held by one or more third parties.
Patrick Breyer v Bundersrepublik Deutschland
The CJEU's ruling was delivered in response to a referral arising from a case between Mr Patrick Breyer and the Federal Republic of Germany concerning the registration and storage of a dynamic IP address. A key issue was whether the dynamic IP address used by Mr Breyer which, in and of itself, could not be linked to him without being combined with other information held by an internet service provider, constituted personal data in the hands of German federal institutions.
The CJEU ruled that, in determining whether information constitutes personal data, each element of the definition of personal data set out in the Data Protection Directive should be construed broadly. In particular, the Court clarified that it is not required that all information enabling the identification of a data subject must be in the hands of one person in order for elements of such information to be treated as personal data. The key question is whether the combination of the various elements of such information constitutes "a means likely reasonably to be used" to identify the data subject. The Court made it clear that a theoretical possibility of the relevant pieces of information being combined to enable the relevant individual to be identified would not be sufficient. If identification would be illegal or practically impossible on account of the fact that it would require a disproportionate effort in terms of time, cost and man power, then individual non-identifying pieces of information would not constitute personal data. However, if identification as a result of combining data with other information held by one or more third parties is legally and practically possible, then data which is non-identifying in and of itself, could constitute personal data.
The impact of the CJEU ruling
It is notable that Irish case law regarding the meaning of `personal data' is not in line with the CJEU's decision in the Breyer case. Indeed, even before the delivery of this ruling, it was doubtful that Irish case law on this issue was consistent with EU law and guidance published by the Article 29 Working Party. As a result, it would be prudent for organisations who are subject to Irish data protection law to review their policies and procedures regarding the collection and use of personal data and to consider whether a broader range of information than they might previously have thought is within the scope of data protection law. This ruling will also need to be taken into account by any organisation which intends to rely on anonymisation techniques to ensure that certain categories of information do not constitute `personal data', since it is likely to make anonymisation (as opposed to pseudonymisation) more difficult to achieve.