In a decision dated 19 October 2016, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.
A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks. The question before the CJEU was – are IP addresses personal data? According to Article 2(a) of EU Directive 95/46 “personal data” is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly from the data.
The CJEU ruled that dynamic IP addresses constitute personal data for an online media service provider (here the Federal Republic of Germany) that makes a website accessible.
A dynamic IP address means that the computer’s IP address is newly assigned each time the website is visited. Unlike static IP addresses, it is not possible for dynamic IP addresses, using only files which are accessible to the public, to create an identifiable link between the user’s computer and the physical connection to the internet provider’s network . Hence, the data included in a dynamic IP address does not enable the online media service provider to identify the user.
However, according to the CJEU, a dynamic IP address will be personal data if the additional data necessary to identify the user of a website is stored by the user’s internet service provider. The website provider only needs to have the legal means which enables him to identify the user. According to the CJEU, this means it must be “reasonably likely” that a data controller will be able to combine a dynamic IP address with additional data held by the internet service provider (ISP) so as to enable the data controller to identify a person. Although the CJEU uses the words “reasonably likely”, the judgment seems to make clear that, in fact, dynamic IP addresses will be personal data unless it is practically impossible or unlawful for the data controller to access such additional data held by the ISP.
This decision has significant practical implications for all website providers, because the storing of user information by internet service providers falls under data protection laws. Ultimately, the website provider needs the consent of the user to store the dynamic IP address. This will also apply after the General Data Protection Regulation (GDPR) comes into force in May 2018, because Article 2 of Directive 95/46 is incorporated in almost the same words in Article 4 (1) of the GDPR.