The Court of Justice of the European Union has held that IP addresses are "personal data" in certain circumstances. This decision is significant because it means that the collection and further processing of IP addresses may be subject to EU data protection law, creating potential compliance difficulties for businesses.
On 19 October 2016, the Court of Justice of the European Union (the "CJEU") published its judgment in Case 582/14 – Patrick Breyer v Germany, in which it held that IP addresses are personal data in certain circumstances. The judgment is broadly in line with the Advocate General's Opinion in this case, from May 2016, which we reported previously.
The case involves websites operated by the Federal Republic of Germany (the "BRD"). Like many website operators, the BRD records the IP addresses of visitors of its websites. Patrick Breyer (a member of the Pirate Party) sued the BRD, claiming that: (i) IP addresses qualify as personal data under EU data protection law; and (ii) that the BRD therefore required consent from individuals in order to process such data.
On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP addresses in the hands of website operators could qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website. Both parties subsequently appealed this ruling to the German Federal Court of Justice (the "BGH"). The BGH referred two questions to the CJEU regarding the interpretation of Directive 95/46/EC (the "Directive") in this context. In particular, the BGH asked the CJEU to determine whether dynamic IP addresses are personal data in the hands of a website operator, if a third party (e.g., an Internet Service Provider ("ISP")) holds additional information (e.g., account details) that can be used to link those dynamic IP addresses to the identity of the relevant individual.
The CJEU's analysis
How are personal data defined?
Personal data are defined in Article 2(a) of the Directive as "any information relating to an identified or identifiable natural person (‘data subject'). An identifiable person is one "who can be identified, directly or indirectly […]" (emphasis added). Further analysis of the issue of identifiability is provided by the EU's Article 29 Working Party, in its Opinion 4/2007.
What are dynamic IP addresses?
In the present case, Mr Breyer's IP address was dynamically allocated (i.e., each time he connects to the network, his device is issued with a new IP address). Ordinarily, a dynamic IP address does not provide a website operator with sufficient information to directly identify an individual user, unless additional information is also available (e.g., the user logs into the website and provides information that enables the website operator to identify that user). The parties agreed that the IP address in question did not directly identify Mr Breyer.
Is the test for identifiability objective or relative?
The critical issue was whether Mr Breyer was indirectly identifiable, from his dynamic IP address in combination with other available information. The CJEU turned to Recital 26 of the Directive which states that "to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person".
Although Mr Breyer's dynamic IP address did not directly identify him, the parties all agreed that he could be indirectly identified by the combination of his IP address plus the account data held by his ISP. A key question for the Court was whether the test for determining identifiability is either:
- objective (i.e., the IP address is personal data in everybody's hands because the ISP can link the IP address to Mr Breyer's real world identity, even if nobody else can do so); or
- relative (i.e., the IP address is personal data in the ISP's hands, but would not be personal data in the hands of another party that had no lawful means of accessing the information held by the ISP).
Although the CJEU did not expressly resolve this question, it is clear from the judgment that the Court adopted the relative criterion. Where a piece of information (such as an IP address) does not directly identify a person, that piece of information will nevertheless be personal data in the hands of any party that can lawfully obtain sufficient additional data to link the information to a person's real world identity. On the other hand, that same piece of information will not be personal data in the hands of a party that has no legal means of obtaining sufficient additional data to make such a link.
What makes a dynamic IP address personal data?
The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
- there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
- the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.
Impact on businesses
The CJEU's decision in Breyer expands upon its previous decision in Case C-70/10 – Scarlet Extended (in which the Court held that IP addresses constitute personal data, but offered very little analysis as to why that was the case). The impact of the Breyer decision on businesses remains to be seen. If a business collects and processes IP addresses, but has no legal means of linking those IP addresses to the identities of the relevant users, then those IP addresses are unlikely to be personal data. However, businesses should note that if they have sufficient information to link an IP address to a particular individual (e.g., through login details, cookies, or any other information or technology) then that IP address is personal data, and is subject to the full protections of EU data protection law. For many businesses, this is likely to require a review of how IP addresses are handled in the context of activities such as customer engagement, website analytics, targeted online advertising, and so on.
It is also unclear what businesses could do to avoid this problem. For example, a business could contractually oblige individuals not to provide additional information linking their IP address to their identity (e.g., through its website Terms & Conditions). But if an individual provided that additional information (albeit in breach of contract) it seems that the relevant IP address may nevertheless be personal data.
In addition, businesses should note that Recital 26 to the recently adopted EU General Data Protection Regulation ("GDPR") states that the test for whether a person is "identifiable" (considered in detail above) depends upon "all the means reasonably likely to be used" to identify that person. The CJEU in Breyer did not directly consider the issue of likelihood of identification. If the BRD was not reasonably likely attempt to identify Mr Breyer from his IP address, this could potentially give rise to a different analysis under the GDPR. Consequently, it may be necessary for the CJEU to revisit this issue after enforcement of the GDPR begins on 25 May 2018.