Personal data is defined, both in the currently applicable Directive 95/46/EC and in the new Regulation 2016/679 as information relating to an identified or an identifiable natural person.

In a pending case before the EU Court of Justice (C-582/14 Patrick Breyer v. Germany), the EU Advocate General (AG) asserts that dynamic IP addresses can qualify as personal data to the extent that, read in conjunction with further data held by an internet access provider, such IP addresses can identify the user.

Moreover, the AG confirms that the processing of such data by a website operator so as to avoid hacking and to ensure the proper operability of the website might amount to a legitimate purpose. To assess whether the processing can be legally justified, this purpose must be balanced against the rights of the data subject. It will of course now be up to the ECJ to decide on this delicate matter.