On a request for a preliminary ruling by the Bundesgerichtshof on the interpretation of 2(a) and 7(f) of Directive 95/46/EC (“Data Protection Directive”), the European Court of Justice (“ECJ”) held that
a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of … [Article 2(a) of Directive 95/46/EC], in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person
member states are precluded, pursuant to Article 7(f) of Directive 95/46, to pass legislation authorizing an “online media services provider … to collect and use personal data relating to a user of those services, without his consent.
The ECJ was called to decide whether dynamic IP addresses (i.e. those “Internet Protocol” addresses dynamically assigned to a device by an access provider) are personal data relevant to Directive 95/46.
A German citizen, Mr. Breyer, filed for an injunction against Germany to obtain the discontinuation of the practice of memorizing dynamic IP addresses, without user consent. In fact, most German Federal institutions’ websites, in order to prevent attacks and to prosecute “pirates”, store information on all access operations in logfiles, including “the name of the web page or file to which access was sought, the terms entered in the search fields, the time of access, the quantity of data transferred, an indication of whether access was successful, and the IP address of the computer from which access was sought.”
After an appeal, the Bundesgerichtshof suspended the proceeding and raised several questions for the ECJ to decide. On May 12, 2016, the Advocate General of ECJ opined that dynamic IP addresses are personal data if additional information allowing identification of users can reasonably be obtained from third parties.
The ECJ opinion followed the Advocate General’s opinion. The ECJ discussed the difference between “static’ IP addresses” (invariable IP addresses that allow continuous identification of the device connected to the network) and “dynamic’ IP addresses” (defined by the ECJ as “provisional addresses which are assigned for each internet connection and replaced when subsequent connections are made”) and not “‘static’ IP addresses” but does not derive a difference in point of application of Data Protection Directive.
The circumstance that the data stored by the German websites does not enable the data subject to be directly identified (the operators of the websites can identify Mr. Breyer only if the information relating to his identity is communicated to them by his internet service provider), does not exclude that the dynamic IP addresses are personal data under the Data Protection Directive. Indeed, the data subject does not need to be “identified’, he only need to be “identifiable”, meaning a person “who can be identified, directly or indirectly”.
This is quite clear from Article 2(a) of the Data Protection Directive: “personal data” must relate to “an identified or identifiable natural person. Hence, “an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.” (emphasis added)
There was a precedent in the decisions of the ECJ: the Court had already held that the IP addresses of internet users were protected as personal data because they allowed users to be precisely identified (judgment of 24 November 2011, Scarlet Extended (C‑70/10, EU:C:2011:771)). However, that case presented two differences with the present cases: i) in Scarlet Extended the collection and identification of the IP addresses was carried out by internet service providers, which were in possession of the additional data necessary to identify those users, and (ii) in Scarlet Extended, the data in question were “static IP addresses” and not “dynamic IP addresses”, as here.
The Court noted that because the word “indirectly” in Article 2(a) suggests that “in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified”. It also noted that based on Recital 26 of the Directive that “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. Therefore “for information to be treated as ‘personal data’, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.” Here as we know, while the online media service provider does not have all the information to identify the data subject, that information – together with the information in possession of the internet service provider – allowed user’s identification.
The key point for the ECJ is whether “the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject”. The ECJ noted that a finding of “reasonableness” would not stand “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant” but this is not the case here: it would seem that if a cyber attack occurs
legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.”
Hence, the ECJ held that
it appears that the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored.
After finding that dynamic IP addresses are personal information subject to the protection of the Directive, the ECJ discusses whether a member state – here Germany – is allowed to pass legislation allowing an online media services provider to collect and use a user’s personal data without his consent. The Court found that a member state cannot do this. Indeed, noted the Court, pursuant to Article 7(f), there are six cases for a processing to be legitimate:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
Germany cannot add to those principles creating additional exceptions, as it did in the legislation allowing the federal websites to collect users’ data without consent (see Paragraph 15 of the TMG).
The text of the decision is available here
For more information, Francesca Giannoni-Crystal.