In a recent decision, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.
A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks. The question before the CJEU was – are IP addresses personal data? The CJEU ruled that dynamic IP addresses constitute personal data. The ruling has direct relevance for website providers.
A dynamic IP address means that the computer’s IP address is newly assigned each time a website is visited by a user. Generally, the data included in a dynamic IP address does not enable a website provider to identify the user. However, according to the CJEU, a dynamic IP address will be personal data if it is “reasonably likely” that a website provider will be able to combine a dynamic IP address with additional data held by the user’s internet service provider (ISP) such that the user can be identified. In practice, this means that dynamic IP addresses will be personal data unless it is practically impossible or unlawful for the website provider to access the additional data held by the ISP.
This decision has significant practical implications for all website providers, because the storing of user information falls under existing data protection laws. Ultimately, the website provider will need the consent of the user to store the dynamic IP address. This will also be the case when the General Data Protection Regulation (GDPR) comes into force in May 2018.