The Court of Appeals of Paris has ruled that IP addresses do not constitute personal data. Indeed, in two rulings of April 27 and May 15, 2007, the Court of Appeals of Paris held that IP addresses are simply a “set of figures” and do not, therefore, constitute “personal data” as defined in the loi Informatique et Libertés (French Data Protection Act) of January 6, 1978.
However, according to the CNIL (French Data Protection Commission), IP addresses do, on the contrary, constitute personal data as defined in the abovementioned Act insofar as they “make it indirectly possible to identify an individual by reference to an identification number”. This is what the CNIL clearly pointed out in a press release of August 2, 2007 commenting on these rulings. This is also what held the Tribunal de Grande de Instance of Saint Brieuc on September 6, 2007.
This qualification in fact has a direct impact on a company’s obligations under the loi Informatique et Libertés.
Indeed, faced with the growing risks of being held liable for their employees’ unlawful actions on the Internet, companies now tend to retain their employees’ connection data (including IP addresses). Retaining such data enables companies to identify, if necessary, who really committed the offence. Moreover, an isolated ruling of February 3, 2005 could be construed as creating an obligation for all companies to retain their employees’ connection data.
However, if an IP address qualifies as personal data, companies must in this case comply with the requirements of the loi Informatique et Libertés and, in particular, notify the CNIL of any processing thereof. If an IP address does not constitute personal data, companies would not be required to comply with such obligations.
The CNIL intends to contest these two rulings of the Court of Appeals. To do so, it has asked the Minister for Justice to examine the possibility of bringing an appeal before the Cour de cassation against these two rulings, in the interest of the law. Pending clarification of the situation, it would seem advisable to comply with the CNIL’s interpretation. Indeed, non-compliance with the provisions of the loi Informatique et Libertés is subject to criminal penalties of up to 5 years’ imprisonment and a EUR 300,000 fine for individuals or a EUR 1,500,000 fine for legal entities.