The Court of Justice of the European Union (CJEU) has ruled that dynamic IP addresses are capable of constituting personal data under certain circumstances, ending years of speculation about whether such essential building blocks of the Internet qualified for protection under the EU Data Protection Directive.
In Patrick Breyer v Bundesrepublik Deutschland, the German Federal Court referred two questions to the CJEU in a case brought by Patrick Breyer, a member of the Pirate Party. He challenged the collection and use of dynamic IP addresses (binary numbers assigned by Internet Service Providers (ISPs) to devices to allow data on a website to be transferred to the correct recipient, where a new number is assigned to the device for each connection) from websites run by the German Federal Government. The government justified this practice by reference to the prevention of crime, in particular denial-of-service attacks.
Both Attorney General Campos Sánchez-Bordona and the European Court’s Second Chamber thought that dynamic IP addresses could constitute personal data, on the grounds that a person could be “indirectly identified” if the IP addresses were combined with data held by ISPs, such as the time of connection and the pages visited on the website. The CJEU decided that in circumstances where a third party holds information which might likely be used to identify the user of a website when put together with the dynamic IP addresses held by the provider of that website, those IP addresses constitute personal data. In this case, ISPs were the third party to whom the Federal Government would naturally go to obtain such further information, and German law provided a mechanism through which this could be done legally in the event of a cyberattack, hence creating the likelihood of various bits of information being combined to identify an individual.
While the German law which would allow access to the additional data held by the ISPs concerned situations involving the criminal law, there are a variety of situations in which courts will order that third parties provide information to government agencies or private parties for commercial purposes or for the purposes of a civil lawsuit. Given that the CJEU did not restrict itself to situations in which a criminal offence has taken place, the decision might have the unintended consequence of bringing more dynamic IP addresses (and similar information) within the scope of the Data Protection Directive than was intended.
The second question concerned the compliance of German law with the Data Protection Directive. The law in question prohibits the collection and use of personal data unless it is done for the purpose of facilitating and charging for the use of a website by the individual concerned. Proceeding on the basis that the Federal Government was acting in the same capacity as a private individual running a website, the Court decided that the German law was in fact too restrictive as it did not allow for a balancing of the provider’s and the user’s rights, and because it did not allow for processing of data to be justified by reference to the legitimate interests of the service provider.
Though the first finding has attracted more attention in the reporting of this case, the latter is equally significant, deciding as it did that German law was incompatible with the Directive and therefore could not stand. The decision in Breyer may impact on the laws of Member States beyond Germany. For example, the UK Data Protection Act 1998 does not refer to “direct or indirect” identification of a data subject, defines personal data as “data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller.” From now on, the CJEU’s expansive definition of personal data adopted in Breyer will need to be taken into account when assessing the ability to identify an individual.