On 19 October 2016, the Court of Justice of the European Union (“CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland. The decision has provided much needed clarification on a long-standing issue in EU data protection law.
The CJEU ruled that a dynamic Internet protocol (“IP”) address of a website user is personal data, with respect to the website operator, if that operator has the legal means allowing it to identify the user concerned with additional information about that user which is held by an Internet Service Provider (“ISP”).
Patrick Breyer brought an action before the German courts seeking an injunction to prevent websites run by the Federal Republic of Germany (“BRD”) from registering and storing his IP addresses.
Like many website operators, the BRD recorded the IP addresses of visitors to its websites. Mr Breyer (a member of the Pirate Party) sued the BRD and claimed that IP addresses qualified as personal data under EU data protection law and that the BRD would require consent for processing such data. Mr Breyer also alleged that the retention of IP addresses by the BRD could enable them to profile users of its websites.
On appeal, the Regional Court of Berlin ruled that IP addresses in the hands of website operators qualified as personal data if a user provided additional details to the website operator (e.g. name, email address, etc.). Both parties subsequently appealed this ruling to the German Federal Court of Justice (the "BGH").
The BGH referred several questions to the CJEU regarding the interpretation of the EU Data Protection Directive (the "Directive") in this context. In particular, the BGH asked the CJEU to determine whether dynamic IP addresses qualified as personal data in the hands of a website operator if a third party (i.e. an ISP) holds additional information that could link those dynamic IP addresses to the identities of individuals.
The CJEU followed the Opinion of Advocate General Manuel Campos Sánchez-Bordona on 12 May 2016 and declared that a dynamic IP address, registered by a website operator, must be treated as personal data if the additional data necessary to identify the user of a website is stored by the user’s ISP.
This decision has significant practical implications for all website providers. The storing of user information by internet service providers now falls under the scope of data protection law if they fall within the test laid down by the CJEU.