Last month, one of the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”), Manuel Campos Sánchez-Bordona, issued an opinion suggesting that dynamic IP addresses should be recognized as “personal data” under EU law. If the CJEU adopts this reasoning, it would represent a landmark decision that would resolve a contentious issue that has been plaguing EU data protection law for years. This post delves into the AG’s decision and its potential consequences.
First things first: what is an IP address?
The term “IP address” is shorthand for “Internet Protocol address.” As described in the AG’s opinion, an IP address is a series of numbers that is allocated to a specific device (i.e. a computer or smartphone) by an Internet service provider. The IP address identifies the device and allows it to access an electronic communications network, such as the Internet.
IP addresses can be either “dynamic” or “static.” Dynamic IP addresses are the more common of the two, and change every time the device connects to the Internet. Static IP addresses, on the other hand, remain constant on the device and do not change each time the device re-connects to the Internet. The AG’s opinion here specifically related to dynamic, and not static, IP addresses. For static IP addresses, it is easier to construe them as personal data because they persistently identify the same device.
What would be the significance of dynamic IP addresses being considered “personal data” under EU law?
Directive 95/46/EC, commonly known as the EU Data Directive or simply the Directive, sets out certain baseline standards EU Member States must adopt as laws in order to protect “personal data,” which the Directive defines as “any information relating to an identified or identifiable natural person.” Therefore, if IP addresses were considered “personal data,” data controllers and processors would have to treat IP addresses in accordance with the Directive’s stringent data handling requirements.
As a result, there has been considerable debate over the years as to whether or not IP addresses qualify as “personal data,” and various Member States have evidenced a range of opinions on the issue. This disparity is attributable to the somewhat complicated means of identifying a person through his or her IP address: although one cannot identify an individual through an IP address alone, it may be possible to identify a user by analyzing the IP address in conjunction with other information about the user. Accordingly, the issue of whether an IP address qualifies as personal data may be viewed as turning on the degree of access to this additional information.
Why did the AG issue this opinion?
The AG issued his opinion on the status of dynamic IP addresses in connection with the case Patrick Breyer v. Bundesrepublik Deutschland, which currently is pending before the CJEU. The plaintiff, a member of Parliament in the German state of Schleswig-Holstein, brought the suit to challenge the German government’s practice of logging the dynamic IP addresses of individuals accessing the government’s websites. Breyer argued that by keeping records of these IP addresses, the German government was impermissibly collecting personal data, as a dynamic IP address – combined with additional information – could be used to identify a user. From a practical standpoint, the German government – recognized by the AG as a “service provider” here – would have had to obtain this additional information needed to identify Breyer from Breyer’s Internet “access provider.” In other words, although the website service provider in this case had the individual’s IP address, it did not have all the data it needed to identify the individual through this IP address; it would have to obtain this information from a third party, the individual’s Internet access provider, in order to identify him. Germany’s Federal Court of Justice referred the case to the CJEU and specifically asked the CJEU whether the Directive “[m]ust … be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject.”
In practice, it would have been difficult for the service provider in this case to obtain the required information from the access provider in order to identify Breyer through his dynamic IP address, because German law forbids that type of transfer in the absence of a legal justification. Breyer, and the AG, both seemed to recognize this, as the AG summarized Breyer’s argument as advocating for a recognition of IP addresses as personal data even “where there exists an abstract potential risk of combination, it being of little importance whether that combination occurs in practice” because “the fact that a body may be subjectively incapable of identifying a person using the IP address does not mean that there is no risk for that person.” The Austrian and Portuguese governments submitted written materials indicating that they agreed with Breyer’s argument, while the German government argued that Breyer was not identifiable through his IP address because the service provider did not have all of the information required to identify him and could not obtain that information from the Internet access provider without a legal basis.
In analyzing the arguments, the AG turned to Recital 26 of the Directive, which states that in order to determine whether or not a person is “identifiable” through certain information, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” The AG reasoned that in a situation in which an Internet access provider holds information a service provider needs to identify a person through an IP address, a request for that information would be a reasonable means to identify the user in question (regardless of that fact that German law required a legal basis for such a transfer). Accordingly, a person’s dynamic IP address could render that individual “identifiable,” thereby making a dynamic IP address “personal data” in accordance with the definition set out in the Directive.
It is important to note that the CJEU has not yet ruled on the case, and that the AG’s opinion is not binding – it merely is intended to provide guidance to the court. Additionally, the AG’s opinion here specifically related to dynamic IP addresses, and explicitly excluded consideration of whether static IP addresses qualify as personal data. However, it should be noted that the Article 29 Working Party opined in 2008 that all IP addresses – both static and dynamic – qualify as types of personal data. Although the Working Party’s opinion may be influential, it is advisory and does not carry the force of law. A CJEU opinion on this issue therefore would carry more weight.
What are the practical implications of a decision that dynamic IP addresses are forms of personal data?
As the AG recognized in his opinion, technology is advancing at an incredible rate. Although currently it seems that identifying a person through his or her IP address requires jumping through multiple hoops, such identification may become significantly easier as technology continues to grow in sophistication and information linked to IP addresses can be processed in a way that facilitates identification. Defining dynamic IP addresses as personal data therefore would impose fairly stringent restrictions on the processing of that information. Companies that seek to identify users through their IP addresses – whether for tracking, marketing, or other purposes – therefore should take note of the continuing developments in this area.