Dynamic IP addresses collected or processed by website and app operators will now need to be treated as personal data. We discuss the material implications of today’s ruling of the European Court of Justice (ECJ) in the case of Patrick Breyer v Bundesrepublik Deutschland (C-582/14).
The case arose when privacy activist Patrick Breyer sought an injunction against the German government to prevent it from storing dynamic IP addresses when certain German government websites were visited.
A dynamic IP address is a string of numbers temporarily assigned by an Internet Service Provider (ISP) to an individual computer or other device when it connects to the internet, and changed when a subsequent connection is made. The government websites in question logged certain information when searches were made on the sites, including the file or webpage sought, the information entered in search fields, a time/date stamp, the volume of data transferred, whether access was successful and the dynamic IP address of the user’s computer.
The case was dismissed at first instance, but upheld in part on appeal. A number of questions were referred to the ECJ, including whether a dynamic IP address stored by a service provider when its website is accessed would amount to personal data if a third party (such as an ISP) had the additional knowledge required in order to identify the data subject.
Opinion of the Advocate General
The Advocate General (AG), in his opinion dated 12 May 2016, considered the definition of “personal data” in the Data Protection Directive 95/46/EC which includes data from which an individual is “identifiable”. The AG interpreted this provision in the context of Recital 26 to the Directive, which states that:
“to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”.
In the AG’s view, Mr Breyer’s ISP would be able to identify the account holder from the IP address. The ISP would therefore qualify as “any other person” in the Recital.
If the German government wished to identify a particular user who had been browsing their website from a dynamic IP address, they would know that the ISP was able to do this and would contact the ISP. While legal obstacles exist to limit the situations in which an ISP can be required to match up dynamic IPs with the details of the relevant account holder, there was a “practical possibility within the framework of the law” that this could happen.
This scenario was therefore “reasonable” and fell within the category of “means likely reasonably to be used” either by the German government or the ISP to identify the account holder connected with the dynamic IP. The AG therefore concluded that dynamic IP addresses collected by service providers such as websites constitute personal data held by that service provider.
The ECJ on 19 October 2016 gave its judgment in the case. This broadly followed the argument of the AG and has confirmed the position that dynamic IP addresses collected by “online media services providers” (which under German legislation covers website and mobile app operators) must now be treated as personal data. This is on the basis that the ISP holds the key to identify an individual (i.e. the account holder) from the IP address, and that there is a practical possibility that such information could be obtained from ISPs.
In coming to this view, the Court appears to have placed some reliance on the fact that legal channels exist enabling online media services providers to compel ISPs to disclose identifying information in order to identify and prosecute those responsible for cyberattacks.
The judgment extends the view of the court expressed in Scarlet Extended (Case C-70/10) which confirmed that ISPs themselves are required to treat IP address data as personal data.
What does this mean in practice?
Website operators face the prospect that information previously considered to be innocuous “log file data” now needs to be classed as personal data. As such it will be subject to applicable protections under European data protection legislation.
The judgment does not necessarily mean that dynamic IP addresses will be personal data in every context as the ruling focuses on “online media services providers” (i.e. website operators and mobile app providers). In the hands of others – who may not be able to compel ISPs to disclose the relevant users’ identities in the same way that website operators can – dynamic IP addresses may not constitute personal data.
As for other online identifiers such as third party cookie IDs and Apple Ad IDs, again the judgment may not necessarily mean that these must also be personal data. As noted above, the Court appears to have placed significant weight on the fact that website operators are able to use legal channels to compel ISPs to disclose identifying information in response to cyberattacks. Those same channels will not generally be relevant to a website owner seeking identification of individuals based on third party cookie IDs or say Apple Ad IDs.
However, any website operator or mobile app provider collecting or processing dynamic IP addresses will need following this judgment to review as a matter of urgency:
- Privacy notices: Do these adequately cover what the business does with IP addresses?
- Grounds for processing: Can the business rely on “legitimate interests” grounds for collecting/processing IP addresses? If not, and if no other grounds under European data protection legislation apply, will consent be necessary?
- Website & App Tracking: Are practices in relation to tracking the use of websites and apps compliant, and do respective agreements with tracking service providers contain respective safeguards (e.g. in relation to anonymizing IP addresses)?
- Data security arrangements: Are adequate measures in place to protect the security of databases of IP addresses? Do data breach processes/policies need to be updated to cover IP address issues as well?
- International data transfers: Do existing mechanisms for transfer of data outside the EEA (model contract clauses, Privacy Shield certifications etc.) need to be expanded to cover IP address data? Will new mechanisms need to be put in place?
- Trading agreements: Are any contract variations going to be required to reflect IP addresses now being treated as personal data?