What is this all about?
Under EU data protection rules, personal data is protected as regards information relating to an identified or identifiable natural person. In a recent important ruling the European Court of Justice (“the European Court”) has extended the concept of what constitutes personal data to include dynamic IP addresses.
What is the background to the case?
A German individual called Patrick Breyer took legal action against the German state concerning some of their websites that stored website visitors’ personal data including IP addresses (a unique address that computing devices use to identify themselves and communicate with other devices in the IP [Internet Protocol] network). The German state justified the storing for cybersecurity reasons, in particular to identify and combat denial-of-service (or DDOS) attacks which aim at paralysing the functioning of the sites by the targeted and coordinated saturation of web servers with huge numbers of requests.
Breyer sought an injunction to, in effect, prevent websites run by German federal bodies from storing his dynamic IP address. Internet service providers allocate to the computers of internet users either a static IP address or a dynamic IP address, the latter being an IP address which changes each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider.
The case eventually reached the German Federal Court of Justice who referred the case to the European Court for an interpretation of EU data protection law asking two questions the first being whether the dynamic IP addresses of website visitors constitute personal data – when those IP addresses are processed with additional information this allows internet service providers to identify individuals.
What did the court decide?
The European Court ruled that:
- a dynamic IP address registered by an online media services provider constitutes personal data under EU data protection rules
- where the provider can (legally) provide additional data, which in combination with the IP address, allows for the identification of the user.
The full judgment can be found here.
What are the takeaways?
The ruling brings judicial clarity to what has been an on-going issue for some time. We’ve assumed with our clients that IP addresses are personal data – this case make that more clear.
The immediate upshot is that IP addresses must now be processed in accordance with the requirements of existing EU data protection rules. It is also worth nothing that the EU General Data Protection Regulation (“the EU GDPR”), which will be fully applicable from May 2018, states that IP addresses may be used to identify natural persons and “[t]his may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them (see recital 30 of the preamble).” Website operators will therefore need to review their practices especially as users’ consent will be needed to store a dynamic IP address.
We can help
Cordery’s GDPR Navigator solution includes resources to help deal with complying with the EU GDPR including the issue of consent – for more information please see here.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784