IP addresses as personal data under the CJEU, French Supreme Court, and the GDPR approach: towards an expanding protection of data

di Francesco Banterle (via www.iplens.org) Are IP addresses personal data? The answer has been debated in recent times.An IP (internet protocol) address is a series of digits assigned to a networked device to facilitate its communication over the internet. IP addresses do not directly reveal the identity of users: additional information is necessary to identify them. However they can show some patterns of user behaviour. Static IP addresses are invariable and allow continuous identification. Dynamic IP addresses are provisional and change each time there is a new connection.

A study commissioned by the EU Commission (available here) revealed how EU members’ traditions with regard to the IP address “personal” nature have substantially diverged.

Recently, in the Breyer case (full text here), the CJEU held that under Directive EC/95/46 (“Privacy Directive”) IP addresses can be personal data. The action was brought by Mr Patrick Breyer, a member of the German Pirate Party. He objected that websites of Federal German institutions store visitors’ IP addresses with the aim of preventing cyber-attacks and allowing criminal proceedings. Eventually, the Bundesgerichtshof asked the CJEU whether in that context (where only internet service providers – ISP – hold data to identify users) ‘dynamic’ IP addresses constitute personal data.

A personal data is any information relating to an identified or identifiable individual, including in by reference to an identification number. Recital 26 of Privacy Directive says that to determine whether a person is identifiable, account should be taken of all the means “likely reasonably” to be used either by the controller (or by any other person) to identify him/her. It is not required that all the information necessary to identify the data subject is in the hands of one person. The possibility to reach the data with reasonable efforts is enough. Thus, the CJEU held that, since the website owner is able to contact the competent authority, so that the latter orders the ISP to disclose additional data on the individual, the website owner has the means which may likely reasonably be used to identify the data subject on the basis of the IP address. In light of this, a dynamic IP address can constitute personal data.

The Court thus embraced an extensive interpretation, previously suggested by the Article 29 Working Party (see opinion 4/2007 on the concept of personal data, p. 16).

Personal nature of IP addresses has been recently confirmed by the French Cour de Cassation (French text here), which held – although briefly – that “les adresses IP, qui permettent d’identifier indirectement une personne physique, sont des données à caractère personnel”.

In this context, the General Data Protection Regulation (“GDPR”) has strengthened this approach. It has specifically recognized that online identifiers, including IP addresses, may potentially identify users and create profiles, especially when combined with unique identifiers (e.g., usernames, see Recital 30). Therefore, the GDPR now explicitly includes online identifiers in the definition of personal data (Article 4). Thus, apparently the rule set by the GDPR could be as follows: IP addresses (likewise online identifiers) are presumed to be personal data unless under the circumstances a data controller can demonstrate that it does not have means “likely reasonably” to identify individuals. However, based on Breyer such proof will not be easily reached.

Finally, as a confirmation of the tendency to expand the definition of data deserving protection, the e-Privacy Regulation proposal (available here, which should repeal Directive 2002/58/EC) seems in line with the GDPR’s approach. The draft includes metadata (e.g. time of a call and location, numbers called, the websites visited, etc.), which are highly intrusive in the privacy sphere, within the scope of the protected data. Thus, except their use for billing purposes, metadata will require users’ consent to be used.

In sum, the concept of protected data is in the process of being updated and expanded, probably having the IoT and big data in mind, to embrace all aspects of virtual identities. And shall be shortly re-defined also vis-à-vis new tracking techniques.

CJEU, decision of 19 October 2016, C-582/14, Patrick Breyer v. Bundesrepublik

French Supreme Court, decision of 3 November 2016

26 gennaio 2017