Yesterday the Court of Justice of the European Union ("CJEU") ruled that dynamic IP addresses constitute personal data within the meaning of Article 2(a) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive 95/46") (case c-582/14).
The applicant, Mr Breyer, accessed several websites operated by German federal institutions. In order to prevent cyberattacks and render it possible to prosecute pirates, the websites in question store information on all access operations in log files, including the (dynamic) IP address of the computer from which access was sought. Believing that such storage constituted, under data protection law, an unlawful interference with his right to privacy, Mr Breyer brought an action before the German administrative courts seeking an order enjoining the Federal Republic of Germany from storing, or arranging for third parties to store, the IP address of the user's host system after the consultation of publicly accessible websites run by the German federal institutions’ online services.
After his claim was rejected by the lower court, Mr Breyer filed a petition with the court of appeal.
His appeal was upheld in part, and the German government was ordered to stop storing IP addresses after the end of the access period. This prohibition only applied, however, if the user revealed, in the course of access, personal data, such as an email address, and if storage was not required in order to restore the availability of the online media services.
As neither side was satisfied with this ruling, the parties appealed to the Bundesgerichtshof (Federal Court of Justice) which referred the following questions to the CJEU for a preliminary ruling.
Questions referred for a preliminary ruling
The questions referred to the CJEU for a preliminary ruling were the following:
- Must Article 2(a) of Directive 95/46 be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
- Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?’
Analysis of the questions by the CJEU
The CJEU recalled that pursuant to Article 2(a) of Directive 95/46, personal data means "any information relating to an identified or identifiable natural person" and that an identifiable person is "one that can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity."
According to the CJEU, it is generally accepted that a dynamic IP address does not constitute information relating to an "identified natural person" as it does not directly reveal the identity of the natural person using the IP address.
Consequently, it is necessary to assess whether a dynamic IP address concerns information with regard to an "identifiable natural person", bearing in mind that the additional data necessary to identify the individual are held by that individual's internet service provider and not by the online media services provider. As Article 2(a) of Directive 95/46 provides that an identifiable person is one that can be identified directly or indirectly, it is not necessary that all information be held by the controller.
When determining whether a person is identifiable, all means reasonably likely to be used by the controller or any other person to identify the individual should be taken into account. Therefore, in the case at hand, it must be assessed whether "the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means reasonably likely to be used to identify the data subject".
The CJEU found that even though German law prohibits an internet service provider from transmitting the additional data necessary to identify the individual, it appears that, in certain cases, such as a cyberattack, the online media services provider may contact the competent authority which can in turn obtain the information from the ISP.
Therefore, the CJEU concluded that the online media services provider has means which are reasonably likely to be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the ISP, based on the stored IP addresses.
The CJEU recalled that Article 7 of Directive 95/46 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as lawful and that the Member States cannot add new principles relating to the lawfulness of the processing of personal data or impose additional requirements which have the effect of amending the scope of one of the six cases listed in that article.
The CJEU established that, in the present case, the relevant German statutory provision has a more restrictive scope than the principle laid down in Article 7(f) of Directive 95/46. While Article 7(f) allows the opposing rights and interests at issue to be balanced, the relevant German provision excludes the possibility of a balancing of interests as it specifies all cases in which data may be held. In other words, the German legislation determines the outcome of the balancing test without allowing for a different result in view of the specific circumstances of the case. Therefore, the German provision violates Directive 95/46.
Answers of the CJEU
- Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
- Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State, pursuant to which an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that the collection and use of that data are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after a consultation period of those websites.