In December of 2014, the Budesgerischtshof requested a preliminary ruling from the Court of Justice of the European Union (CJEU) after hearing a case brought by German Pirate Party politician Patrick Breyer against the German State. Mr Breyer sought to challenge the collection, use and storage of Internet Protocol (IP) address access logs across state-owned websites and asked the courts to grant an injunction which would prevent websites run by federal German bodies, from collecting and storing his dynamic IP addresses. The applicant alleged that the German State was processing his personal data without a legal basis, and on the other hand, the site operators brought forward the argument that data must necessarily be stored to prevent cybernetic attacks, and to enable the bringing to justice of these individuals.
Therefore, the question posed to the CJEU dealt with whether a dynamic IP address held by website operators could constitute personal data since when such IP address is processed with additional information, this would allow Internet Service Providers (ISPs) to identify the individual.
On October 19th the CJEU issued a judgment which declared that dynamic IP addresses may in fact constitute ‘personal data’, and therefore in certain circumstances, such IP addresses may be subject to protection under the EU Data Protection Directive, Directive 94/46/EC which imposes an obligation on all Member States to protect persons’ right to privacy with respect to the processing of their ‘personal data’.
The judgment, which may be found here, held that a dynamic IP address given to a natural person by an online media services provider, if combined with certain other data collected and stored by ISPs would allow such ISPs to identify that natural person, giving the provider ‘the legal means which enable it to identify the data subject with additional data which the Internet service provider has about that person’. It is for this reason that a dynamic IP address registered by online media services providers were deemed personal data within the scope of the Directive.
The CJEU also precluded a particular provision of the German law on Telemedia by the Directive. The provision, relating to the circumstances allowing online media services providers to collect and use personal data without the data subject’s consent was deemed overly restrictive and therefore conflicts with Article 7(f) of the Data Protection Directive.
This decision means that such IP addresses must now be processed in accordance with the requirements set out in the EU Data Protection Directive. This could have implications for companies which provide dynamic IP addresses to users of their websites. It must be noted, however, that various EU regulators have already adopted the view that dynamic IP addresses, particularly when coupled with other information, would be tantamount to personal data.
Moreover, the decision hardly comes as a surprise in light of the data protection reform package, which has as its core element a new general data protection regulation, which entered into force on the 24th of May 2016 and which should apply from the 25th May 2018. The regulation, which modernises the principles set out in the 1995 Data Protection Directive, already acknowledges the fact that IP addresses may be used to identify natural persons in its preamble. As a result, the CJEU’s decision brings with it implications and consequences that would have, either way, come about with the applicability of the general data protection regulation.