In a decision that may have far reaching implications for website operators, the Court of Justice of the European Union (CJEU) has ruled that dynamic IP addresses can constitute personal data, even where the individual can only be identified using additional data held by a third party (normally the internet service provider that assigns the IP address).


Patrick Breyer, a German politician, sought an injunction preventing the Federal Republic of Germany from storing IP addresses of visitors to their websites for cyber security purposes.

The case had reached the highest court in Germany, which referred two questions to the CJEU:

  1. Whether a dynamic IP address held by an online media service provider could constitute personal data in circumstances where the additional data necessary to identify the data subject can only be provided by the internet service provider; and
  2. Whether the provision of German law that precluded a justification based on "legitimate interest" to hold data (e.g. to prevent cyberattacks) was inconsistent with Article 7 of the Data Protection Directive (the "Directive").

Court ruling and future implications

In response to these questions, the CJEU ruled that:

  1. A dynamic IP address may constitute personal data if the site operator has legal means enabling it to identify the visitor with the help of additional information provided by a third party; and
  2. The provision of German law that limited the scope of the "legitimate interest" justification by providing that it only applied to the specific use of the site by the data subject is inconsistent with Article 7 of the Directive (which creates the justification).

The decision is likely to present challenges to online media service providers. If all IP addresses can constitute personal data, site operators will now need to balance the fundamental rights of data subjects who access their sites with the legitimate interest in preventing cyberattacks. This is likely to result in additional requirements for site operators such as carrying out privacy impact assessments.