The Court of Justice of the European Union (“CJEU”) has ruled that dynamic IP addresses can constitute personal data.
Dynamic IP addresses, registered by a website provider when an individual accesses its website, shall constitute personal data where the operator has the legal means to combine the data with additional data (held by the internet service provider) to identify the data subject.
What is a “dynamic IP address”?
An IP (Internet Protocol) address is a unique number assigned to every device on a network. The IP address identifies the device on the internet. Most devices use dynamic IP addresses, which are assigned by the network when they connect and change over time (whereas static IP addresses do not change).
Whether a dynamic IP address constitutes personal data has been a grey area for quite some time, so the CJEU’s ruling in Breyer v Bundesrepublik Deutschland (Case C-582/14) takes us a step closer toward legal certainty on the topic.
Question for the CJEU
Mr Breyer brought an action alleging that dynamic IP addresses were personal data, and challenged the collection, use and storage of them by the website providers. The case eventually made its way to the German Federal Court of Justice, which then referred a question to the CJEU: does a dynamic IP address constitute personal data under Article 2(a) of the Data Protection Directive 95/46/EC?
It was recognised that dynamic IP addresses, alone, do not provide the website provider with enough data to identify users. The website provider needs to obtain additional data held by the internet service provider. The CJEU, however, looked to what “legal means” existed to enable the website provider to obtain the necessary additional data from the internet service provider in order to identify the data subject.
Here, the court said that in the event of cyber attacks, legal channels existed, enabling the website provider to obtain that additional information. For that reason, it was held that these dynamic IP addresses did constitute personal data.
The court did qualify this and said that it must be determined whether the possibility to combine the dynamic IP address with other data constitutes a means likely to be used to identify the data subject. The question, therefore, is, does it require a “disproportionate effort”? This is to be measured in terms of time, cost and man-power.
Do we have legal certainty?
To some degree, yes. However, the CJEU has qualified this with a new test, “disproportionate effort”. Whether this will add to, or settle, the confusion is yet to be seen.
What we do know is that it is accepted that a dynamic IP address could constitute personal data. This happens to be in line with the new General Data Protection Regulation which has expanded the definition of “personal data” to include “online identifiers”; but that is not scheduled to come into effect until 25 May 2018.
Website providers will therefore need to act sooner and review their processes for collecting, using and storing dynamic IP addresses to consider what implications this decision might have for them.