ECJ holds dynamic IP addresses are personal data if additional information allowing user identification can reasonably be obtained from third parties

downloadOn October 19, 2016, the European Court of Justice (“ECJ”) presented its conclusions in Patrick Breyer v. Bundesrepublik Deutschland (case C‑582/14).

According to the ECJ

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

Mr. Breyer filed for an injunction against Germany to obtain the discontinuation of its practice of memorizing dynamic IP addresses. Dynamic IP addresses are those IP (“Internet Protocol”) addresses dynamically assigned to a device by an access provider (usually a telephonic carrier). The case landed before the German federal court (Bundesgerichtshof), which suspended the proceeding and raised several questions for the ECJ to decide. More on the proceeding here.

Particularly interesting is the question of whether Article 2(a) of EU Privacy Directive 95/46 must be interpreted in the sense that a user’s IP address memorized by a provider with reference to user’s access to its website, is “personal data” if there is a third party (here access provider) which possesses additional information necessary to identify the user.

On May 12, 2016, the Advocate General of Campos Sánchez-Bordona opined that the ECJ should answer “yes” : the dynamic IP address must be qualified as personal data with respect to the internet service provider, because there is a third party (the access provider) from which the internet service provider can reasonably obtain additional information that allows – in association with the memorized IP address – the identification of users. See here.

The ECJ agreed with the AG’s conclusions:

Article 2(a) of Directive 95/46/EC … must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

In that context, the Court emphasized that the operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks.

Full text of the opinion here: English, Spanish, German, French (language not available).

Press release n. 112/16, relating to Judgment in Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland is available at http://curia.europa.eu…             Open PDF

 

For more information, Francesca Giannoni-Crystal

Follow us on& Like us on