An IP address which can be combined with data held by a third party to identify an individual, is likely to be personal data.
What's the issue?
The Data Protection Directive 1995, defines personal data as: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified directly or indirectly….”. The issue of when someone is indirectly identifiable and what exactly that means has been the subject of debate since the Data Protection Directive came into force and Member States have taken differing approaches.
Under the incoming General Data Protection Regulation (GDPR), the definition of personal data is expanded to add clarity to the concept of when someone is indirectly identifiable: “personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person”.
In terms of EU data protection law, that an IP address in isolation is not personal data, is uncontroversial. That an IP address which can be combined with other information to identify an individual is personal data is also uncontested, but the issue has been considered largely where the same party holds the IP address and the other information, so mainly in relation to ISPs. In a reference from Germany, the CJEU was asked to consider the issue of whether an IP address, particularly a dynamic IP address which changes each time a device connects to a network, can be personal data if the additional information which would lead to it identifying an individual is held by a third party.
What’s the development?
The CJEU has followed the earlier Advocate General Opinion in holding that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject which the internet service provider has about the person”.
The case revolved around whether the Federal Republic of Germany can save the IP addresses of visitors to its website and the reference to the CJEU asked (principally), whether IP addresses stored by an information society service provider (like a website operator) can be held to be personal data, where a third party (an internet service provider) has additional data which, when combined with the IP address, would allow re-identification of an individual.
The CJEU said that while an IP address alone is not personal data, it should be treated as such if ISPs hold additional data which could be combined with the IP addresses to identify individuals where there is a reasonable likelihood they would do so and where they have the legal means to do so. This would not be the case where it would involve disproportionate effort to combine data or where the combination was illegal.
The reference also asked whether IP addresses may be processed by website operators in order to defend themselves against denial-of-service and similar attacks and to allow prosecution of hackers. The AG opined that this might fall within the legitimate interests exception under the Data Protection Directive, unless such interests were overridden in order to protect the fundamental rights and freedoms of data subjects. The CJEU broadly agreed, saying that each instance would need to be assessed on a case by case basis and there was no way for Member States to definitively prescribe when the legitimate interests exception would apply.
What does this mean for you?
The ruling comes as no surprise to those familiar with the progression of EU data protection law although those used to a US definition of what constitutes Personally Identifiable Information may find it more surprising.
The Data Protection Directive has a wider definition of personal data than the UK’s Data Protection Act which is more accurately reflected in German data protection law, and the GDPR has a wider definition still in terms of whether data should be classed as personal because of its potential to be combined with other data in order to identify individuals. Decisions of regulators and courts have been trending towards the wide interpretation given by this judgment for some time.
The ruling does leave some questions unanswered, not least of which is just what is meant by “disproportionate effort” and “reasonable likelihood” in terms of combining different datasets. Notwithstanding the remaining ambiguities, the stance taken in this case reflects the general direction of travel of EU data protection law. The working assumption should be that any data which can identify an individual when combined with other lawfully obtained data, even where that data is held by a third party, should be treated as personal data unless there is a good reason not to do so.