In a decision that could have significant impact for online companies that have European operations, the European Union’s (EU) top court ruled that Internet Protocol addresses (IP addresses) could, under certain circumstances, constitute protected data under EU data protection law (Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16). As most of us know, the IP address is a series of numbers that is allocated to a specific device (i.e., computer or smart phone) by an Internet service provider. A device is identified through the IP address and allows it access to the Internet. IP addresses can either be static or dynamic. Dynamic IP addresses change every time an electronic device connects to the Internet, and are the more common of the two.
Directive 95/46/EC, commonly known as the “Directive,” sets out certain standards EU members must legally adopt as law in order to protect personal data. Consequently, if IP addresses are considered “personal data” online companies (Facebook and Google, for example) would have to treat them in accordance with potentially restrictive data handling requirements. Under the Directive, the processing of personal data (e.g., marketing or profiling) is only lawful if it is necessary “to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedom of the data subject does not override the objective.”
This specific case involves websites operated by the Federal Republic of Germany (“BRD”) which, like most website operators, records the IP addresses of visitors of its websites. Patrick Breyer sued the BRD claiming that if the IP addresses qualify as personal data under EU data protection law, then the BRD would be mandated to require consent before processing such data. Breyer alleged the retention of IP addresses by the Republic of Germany could enable profiling of website users and other non-legitimate objectives.
The EU’s top court, the Court of Justice of the European Union (the “CJEU”), held that dynamic IP addresses could be considered personal data provided the website “has the legal means to identify the visitor with the help of additional information that the visitors’ internet service provider has. Since this is generally the case with most providers, the Court held dynamic addresses could potentially be considered protected personal data. While this case was decided under the Directive, it is important to note that the decision is consistent with the expanding concept of personal data under the General Data Protection Regulations which will take effect in May 2018.
However, in a material caveat, the high court here stated that the federal German institutions running the websites in question “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites” when protecting their sites against online attack. The case now will be returned to the German Federal Court of Justice, which will decide the case based on the CJEU’s holding.
Defining IP addresses as personal data could, in certain circumstances, impose significant limitations on the storage and use of that information. Companies that seek to identify users through their IP addresses for marketing or other purposes should closely monitor continuing developments in this area and be prepared to address not only how they safeguard this data, but also what legitimate business reason they have for its collection.