Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)
  • chevron-left Home |
  • chevron-left Insights |
  • chevron-left Publications |
  • European Court of Justice: Dynamic IP addresses may be considered “personal data”

European Court of Justice: Dynamic IP addresses may be considered “personal data”

The Court of Justice of the European Union ruled in its judgment of 19 October 2016 that a dynamic IP address registered by a website operator must be considered “personal data”.

09 November 2016

Publication

The Court of Justice of the European Union (CJEU) ruled in its judgment of 19 October 2016 (Patrick Breyer v. Bundesrepublik Deutschland - Case C-582/14) that a dynamic IP address registered by a website operator must be considered “personal data” by that operator if and as far as the user’s internet service provider has additional information about the user and the legal means that would allow - in combination with the IP address - to identify the user.

The German Federal Court of Justice (BGH) referred to the CJEU the question whether the website user’s dynamic IP address registered by a website operator is considered “personal data” within the meaning of Article 2(a) of the EU Directive 95/46/EC (Data Protection Directive), if only a third party, namely the internet service provider, has the additional data which is required to identify the user.

The CJEU ruled that such dynamic IP address (meaning a “provisional” IP address which is re-assigned for each internet connection) constitutes “personal data”, if the following requirements are met:

  • the internet services provider has additional data that enables (in combination with the IP address) the identification of the website user, and
  • the identification of the website user is legally and practically possible.

The CJEU relied in this context in particular on Recital 26 of the Data Protection Directive, according to which “all means likely reasonably to be used either by the controller [here: website operator] or any other person to identify the said person” must be taken into account when determining whether a person is identifiable. According to the Court’s opinion, it is therefore not required that all the information enabling the identification of the user must be in the hands of one person. It can rather be sufficient, if the additional data necessary to identify the user is held by another person, namely the internet service provider.

The possibility to combine the dynamic IP address with additional data held by the internet service provider must, in addition, constitute a reasonable means to identify the website user. In other words, a dynamic IP address is only considered “personal data”, if the identification of the data subject is legally admissible and practically possible. The CJEU found that under German law there are legal means that give a website operator the right to access additional data in possession of the internet service provider in order to identify the relevant person who used a dynamic IP address at a certain point of time (eg in the event of cyber-attacks in order to go against the attackers). The CJEU therefore concluded that dynamic IP addresses that are processed by website operators have to be considered “personal data”.

Please note that in its judgment, the CJEU also ruled - in favor of website operators - that Section 15 para 1 sentence 1 of the German Telemedia Act (TMG), which extremely limits the possibilities to use personal data, does not comply with the Data Protection Directive.

Under Section 15 para 1 TMG, a service provider may only collect and use personal data without the user’s consent in so far as the collection and use of this data is necessary:

  • to enable the use of the telemedia, or
  • to invoice the use of telemedia.

Section 15 TMG does not take into account any “legitimate interests” of a company. In this context it has to be noted that the Data Protection Directive sets out in its Article 7 that a legitimate interest of a company may very well enable a company to process personal data, if it outweighs the interests of the data subject.

The CJEU clearly states in its judgment that Member States cannot impose additional requirements relating to the lawfulness of data processing. The Court reasoned that the website operator may have legitimate interests which may very well prevail over those of the website user. As a consequence, Section 15 para 1 sentence 1 TMG, which does not take into account the website operator’s legitimate interests, has a more restrictive scope than the principles laid down in Article 7 of the Data Protection Directive and does therefore not comply with the Data Protection Directive.

Summary

The Court’s decision will have an impact on how to define “personal data” in the sense of the Data Protection Directive and, once applicable, of the General Data Protection Regulation (GDPR). The CJEU clarified in its judgment, in particular, that a dynamic IP address must be processed - under certain circumstances that always apply to a website operator in Germany - in accordance with EU data protection law.

The decision also clearly states that EU Member State law may not restrict the processing of personal data beyond the requirements set out in the Data Protection Directive, except where they are expressly permitted to do so. This will apply accordingly with regard to the GDPR.

Read the full text of the judgment

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.