According to the Court of Justice of the European Union (CJEU), dynamic IP addresses may be personal data for website operators and thus fall under the scope of data protection (CJEU, Judgement of October 19, 2016 – C-582/14).
Internet service providers assign to users dynamic IP addresses, which change each time there is a new connection to the internet. The IP address is used for communication between users and websites. As a result, website operators know IP addresses, but – other than internet service providers – cannot attribute them to specific users without additional information about their constantly changing "dynamic" allocation.
The provisions concerning the protection of personal data only apply to data which can be attributed to a person who is at least identifiable. The CJEU states that in order to determine whether a person is identifiable, not only information at the data controller itself (such as website operators) is to be taken into account. Rather, additional data must be considered, which may be obtained by the data controller from a third party through legal means. Under certain conditions, German law permits the transfer of information on dynamically assigned IP addresses by the internet access provider to the website operator. Therefore, according to the CJEU, dynamic IP addresses (also) represent personal data for the website operator and are covered by data protection.
The CJEU thus issues a judgment on a controversial basic question of data protection: Which additional information, that is only available at third parties, is to be taken into account for the question as to whether information can be attributed to a natural person? According to the CJEU, all additional information is relevant, which can be obtained from a third party by legal means.
In addition, the CJEU also addresses the provision of Section 15 German Telemedia Act, which requires the deletion of usage data after the end of the actual use, unless they are required for billing purposes. This is in breach of EU law: The European Directive (95/46/EC) also allows the use of usage data to maintain the functionality of generally accessible websites by their operators.
Conclusion: Data covered by data protection is also given where the data controller is only able to identify a natural person by use of additional information, which can be obtained from third parties by legal means. In other words, not only the data available at the controller itself is to be considered in order to determine whether a natural person is identifiable. On the other hand, only such additional information at third parties must be taken into account, which may be transmitted to the relevant controller by legal means.