Dynamic IP Addresses can
be Personal Data
On 19 October 2016, the European Court of Justice decided
that dynamic IP addresses can be regarded as personal data
in the sense of the Directive 95/46/EC of 24 October 1995
on the protection of individuals with regard to the
processing of personal data and on the free
movement of such data (Privacy Directive).
This means that the storing or processing of dynamic IP addresses will be subject to the conditions of the Privacy Directive (and soon the GDPR).
1. What are dynamic IP addresses?
Unlike a static IP address, a dynamic IP address does not, in principle, make it possible to establish a link between a specific computer and the physical network connection, using files, which are accessible to the public. Indeed, a dynamic IP address changes with each new connection to the Internet.
However, in certain circumstances, with the help of additional information, it is possible to establish the identity of the owner of the computer linked to the IP address, via a dynamic IP address.
The question therefore arose whether a dynamic IP address should not be regarded as personal data in the sense of the Privacy Directive?
2. The proceedings before the German Federal Court
The German Federal Court submitted this matter to the Court by means of prejudicial questions.
The reason for this was proceedings brought by a German citizen against the Federal Republic of Germany, following his visit of German federal institution websites. The German citizen demanded that the German authorities would be prohibited to save the IP-address of the hosting system from where he accessed the websites of the German federal institutions.
It appeared that most of these websites registered the IP addresses of each visit in log files, to protect against cyberattacks and to permit prosecution of possible attackers. Following the visit, these log files contain the IP address of the computer from which the website was visited.
Given that the German citizen could not accept the conduct of the German authorities, he lodged an appeal against this kind of storage. His appeals was aimed to have the Federal Republic of Germany banned from storing or having third parties store the IP address of the host system from which the internet user gained access to the publicly-accessible online media websites of German federal institutions, in as much as the storage of that IP address is not required in order to restore availability of that media in the event of an interruption.
The appeal was dismissed in first instance. However, the Appeal Judge granted part of the request.
The judge obliged the Federal Republic of Germany to desist from storing IP addresses or having them stored after the session, if the address is stored together with the time of the visit occurring via this address, and if the user revealed his identity during his visit.
In other words, the appeal judge decided that a dynamic IP address can be regarded as personal data, if it is stored together with the time of the visit via this address, and the user revealed his identity during his visit.
Indeed, this allows the website operator to identify the visitor by linking the visitors name with his IP address.
3. Prejudicial questions of the Federal Court
An appeal was also lodged against this decision. The German citizen felt that the appeal judges decision did not go far enough, and the German Federal Republic felt that this decision went much too far.
The Federal Court explained that the dynamic IP addresses of the computer of a user, which are stored by the operator of online media services, together with other stored log files, constitute specific data concerning the material circumstances of a visitor.
After all, this data provides information regarding the fact that the visitor visited specific websites, or retrieved specific files, at specific times via the Internet.
However, in principle, this data does not make it possible to directly identify a person.
It is only possible to identify the visitor in question when the operator of the website or on-line media service receives information from the Internet provider concerning the users identity.
The Federal Court then asked the European Court of Justice a prejudicial question concerning the interpretation of the provisions of the Privacy Directive.
Article 2, a) of the Privacy Directive defines personal data as: any information relating to an identified or identifiable natural person ("data subject"). an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
The Court had to answer the question whether pursuant to this Article 2, a) a dynamic IP address that is registered by an on-line media service operator, each time a person visits a website, is personal data, if only a third party, such as an internet provider, holds the additional information required to identify that person.
4. How did the Court of Justice judge?
The Court observed that a dynamic IP address in itself is not personal data, as the identity of the person owning the computer from whom the website was visited is not immediately apparent from such address.
However, the Court also had to verify whether a dynamic IP address can be regarded as personal data if it relates to identifiable persons and the additional information required to identify that person is held by a third party.
Indeed, the term identifiable presumes not only direct identification, but also indirect identification. From the use of the term indirect in the definition of personal data, the Court deduces that it is not necessary for the data itself to allow the person to be identified, in order for it to qualify as personal data.
Determining whether a person is identifiable, requires examining all means which may reasonably be assumed to be used by the party responsible for processing or by any other person in order to identify the party in question.
The Court stated that there is no requirement for all the information, which can be used to identify the person to be stored by one and the same person.
This means that the fact that the website operator does not hold the additional information which is required in order to identify the user of a website does not preclude dynamic IP addresses, registered by the website operator, from being regarded as personal data.
It appears to the Court to be established that the possibility to combine a dynamic IP address with additional information, which is not in the possession of the internet provider, constitutes a means that may reasonably be assumed to be used in order to identify the person in question.
Therefore, in these circumstances, a dynamic IP address is personal data.
On the basis of this ruling, there is no longer any doubt as to the classification of dynamic IP addresses. The Court has explicitly judged that dynamic IP addresses qualify as personal data, even though the additional information which is required in order to identify the party in question is held by a third party.
As a consequence, website operators which store dynamic IP addresses in their log files, must respect the provisions of the Privacy Directive and soon the GDPR.
16 December 2016
Lynn Pype - firstname.lastname@example.org
Learn more about this topic: subscribe to our newsletter!