Dynamic IP addresses may constitute ‘personal data’
Recently the European Court of Justice (‘CJEU’) clarified the definition of personal data under the Data protection Directive. In the Breyer case[1] the CJEU ruled on whether or not a dynamic IP address qualifies as personal data. The Court held that dynamic IP addresses may constitute personal data even though information may have to be sought from third parties to identify the subjects.
Breyer case
Breyer was referred to the CJEU by the German courts. Mr Breyer has accessed several websites operated by German federal institutions. Paragraph 14 of the ruling describes the following information practices with regards to those websites:
‘With the aim of preventing attacks and making it possible to prosecute ‘pirates’, most of those websites store information on all access operations in logfiles. The information retained in the logfiles after those sites have been accessed include the name of the web page or file to which access was sought, the terms entered in the search fields, the time of access, the quantity of data transferred, an indication of whether access was successful, and the IP address of the computer from which access was sought.’
Mr Breyer objected and requested an injunction from the German courts seeking to prevent the processing of this information. This led to the German courts referring two questions to the CJEU of which the first question was:
‘Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?’
The CJEU answers: ‘Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
How did the CJEU arrive at this conclusion in paragraph 49 of the ruling? Let’s start with the definition of personal data.
Personal data
According to Article 2 of the Directive, ‘personal data’ shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
‘41 The use by the EU legislature of the word ‘indirectly’ suggests that, in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified.
42 Furthermore, recital 26 of Directive 95/46 states that, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.
43 In so far as that recital refers to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’ within the meaning of Article 2(a) of that directive, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.
44 The fact that the additional data necessary to identify the user of a website are held not by the online media services provider, but by that user’s internet service provider does not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46.
45 However, it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.’[2]
Dynamic IP address
Dynamic IP addresses are temporarily assigned to each computer as it goes on-line and reassigned when it goes off-line. As a result, dynamic IP addresses cannot be used to directly identify the computer from which access had been sought. If one of the German federal institutions wanted to identify which computer had been assigned a particular IP address, then, under German law, it would have to request that information from the internet service provider to start criminal proceedings in case of cybercrime.
This led the CJEU to conclude that dynamic IP addresses are personal data if website operators, such as the German federal institutions, have ‘legal means’ enabling the identification of the person associated with the IP address with the help of additional information which that person’s internet service provider has.
Anonymisation & pseudonymisation
The Directive does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. According to recital 26 of the General Data Protection Regulation (‘GDPR’), applicable as from 25 May 2018, anonymous data also remain outside the scope of the GDPR:
‘The principles of data protection should therefore not apply to anonymous information, that is information which does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation does therefore not concern the processing of such anonymous information, including for statistical and research purposes.’
Anonymisation is almost impossible in practice.[3] Under the GDPR, pseudonymisation is introduced and defined as: ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person (…).’
The Breyer case suggests that data will still be personal even if it requires legal means to make a person identifiable. Additional information, even when kept separately by a third party and subject to technical and organizational measures to ensure non-attribution, may still be used to make a person identifiable. In the light of the Breyer case, the question can be raised what will be left of the concept of pseudonymisation under the GDPR. Pseudonymisation may turn out to be as hard to achieve as anonymisation. In practice this could mean more and more data processing activities of organisations will be covered by the GDPR as more and more data qualifies as personal data subject to the Regulation.
[1] CJEU 19 October 2016, Patrick Breyer v Bundesrepublik Deutschland, C‑582/14.
[2] Paragraphs 41 – 45 Breyer case
[3] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, WP216.