ANALYSIS European Union court rules that IP addresses are personal data The Breyer case, another landmark ruling on key data protection notions, covers the definition of personal data in relation to dynamic IP addresses and the “legitimate interest” legal basis for data processing. By Monika Kuschewsky . he Court of Justice of the EU only temporarily assigned and change website was accessed, or that of another (CJEU) has yet again issued an each time there is a new connection person who might use that computer. important ruling, interpreting from a computer or device to the Inter - The CJEU then considered whether Tkey notions of the EU Data Protection net. Website operators (as opposed to dynamic IP addresses may be treated as Directive (the Directive) in its recent Internet service providers, ISPs) do not personal data relating to an “identifi - judgement of 19 October 2016 in the usually possess all the information to able natural person”, who can be iden - Case Patrick Breyer vs. Bundesrepub - identify the users behind the IP tified indirectly. In interpreting this lik Deutschland (C -582/14). In particu - address. provision, the CJEU made two lar, the CJEU answered two questions, Though initially dismissed by a important statements: namely: (1) whether dynamic IP lower court, the case was brought • first, “it is not necessary that that addresses constitute personal data for before Germany’s highest civil court information alone allows the data website operators and (2) concerning (the Bundesgerichtshof or BGH), subject to be identified;” and, the permissible scope of Member which referred two questions for a pre - • second, “it is not required that all States’ implementing legislation con - liminary ruling to the CJEU. the information enabling the identi - cerning the “legitimate interest” legal fication of the data subject must be basis for data processing under Article avk^jf` fm= ^aaobppbp ^p in the hands of one person.” 7 lit. f) of the Directive. mboplk^i a^q^ Applying these criteria to the case at The ruling did not come as any In Scarlet Extended SA vs. SABAM hand, the fact that the website operator great surprise to legal onlookers, as it (C -70/10) the CJEU had held that the itself does not have the additional data largely followed the Attorney Gen - IP addresses of Internet users were necessary to identify the user of a web - eral’s Opinion of 12 May 2016. It also protected personal data because they site does not exclude the qualification reconfirmed the limits that national allow those users to be precisely of a dynamic IP address as personal legislators need to respect when imple - identified. However, in that case, the data. The question then is whether it is menting the Directive, which the CJEU collection and identification of the IP sufficient that a third party, here the had established previously. Whilst pro - addresses of Internet users was carried ISP, holds the additional data to qualify viding important guidance, which will out by an Internet service provider the dynamic IP as personal data for the remain relevant under the forthcoming (ISP) who holds the details that, if website operator. The CJEU does not EU General Data Protection Regula - combined, can identify a particular think so. Rather, based on recital 26 of tion (the “GDPR”), the ruling raises user. the Directive, it must be determined certain questions, which may need to By contrast, the CJEU had not yet whether the possibility to combine a be answered in future cases. considered the case of a website opera - dynamic IP address with the additional tor, which does not hold these details, data held by the ISP constitutes “a _^`hdolrka and dynamic IP addresses. In Breyer , means likely reasonably to be used to The questions, which were referred to the CJEU now found that dynamic IP identify the data subject.” the CJEU for interpretation, arose in addresses can constitute personal data The CJEU excludes this possibility court proceedings in Germany that within the meaning of the Directive, in two cases, namely if the identifica - were brought by Patrick Breyer, a even if the website operator does not tion of the data subject was: German Pirate Party politician, against hold the details to identify the website • prohibited by law; or the German Federal Government. user. • practically impossible on account of Breyer had challenged the government Starting from the definition of per - the fact that it requires a dispropor - for its storage of his dynamic IP sonal data in Article 2 lit. a of the tionate effort in terms of time, cost address, without his express consent, Directive (which defines personal as and man-power, so that the risk of when he accessed the government’s “any information relating to an identi - identification appears in reality to websites. The government stored those fied or identifiable natural person; an be insignificant. addresses to defend itself against identifiable person is one who can be In its order for reference, the BGH denial-of-service and similar attacks on identified, directly or indirectly …”), suggested that, in particular in the event its websites and to allow the criminal the CJEU considered that dynamic IP of cyberattacks, under German prosecution of hackers. addresses do not directly reveal the national law, the website operator can Unlike static Internet Protocol (IP) identity of the natural person who contact the competent law enforcement addresses, dynamic IP addresses are owns the computer from which a authority which can take steps to NM =======ab`bj_bo=OMNS== =====PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2016 PRIVACY LAWS & BUSINESS ANALYSIS obtain the additional data from the ISP interests, but cannot definitively pre- the mere possibility that a third party and to bring criminal proceedings. In scribe the result of the balancing exer- (such as a competent authority) as light of this, the CJEU concluded that cise, and thereby exclude the possibil- opposed to the website operator him- it appears that the website operator has ity of processing certain categories of self may obtain the additional informa- the means which may likely reasonably personal data, without allowing a dif- tion required for identification suffices, be used in order to identify the data ferent result by virtue of the particular it can be questioned to what extent: subject, with the assistance of other circumstances of an individual case. • the criterion of “means which may persons, namely the competent author- In Breyer, the CJEU confirmed this likely reasonably be used” really ity and the ISP, on the basis of the IP previous ruling and held that Article 7 effectively limits the scope of what addresses stored. The case has been lit. f of the Directive precludes national constitutes personal data; and referred back to the BGH which will legislation which allows website opera- • how website operators can ever be issue its decision based on the CJEU’s tors to collect and use a user’s personal certain that no third party can ruling, subject to verification of the data only in limited circumstances, thus obtain the additional information. German rules. excluding the collection and use for the The CJEU specifically referred to purpose of ensuring the general oper- possible legal avenues under German jbj_bo pq^qbp e^sb ifjfqba ability of those services. law in the particular event of a cyber ollj clo j^klbrsob The CJEU thereby also implicitly attack. As a result, it seems possible The second question referred to the recognised that ensuring the general that the outcome (and hence the quali- CJEU relates to a provision (section operability and prevention of cyberat- fication of the same type of informa- 15) of the German Telemedia Act tacks can constitute a legitimate interest tion) can be different in other Member (Telemediengesetz or TMG) which within the meaning of Article 7 lit. f of States, depending on the available legal only allows the collection and use of the Directive, which may justify the avenues under the respective national usage data of users of information collection and use of personal data. The law, or in other circumstances (e.g. society services (such as websites), BGH will now have to assess whether other types of violations). The CJEU without their consent, to facilitate, and Germany has carried out the balancing only explicitly ruled out two cases in charge for, the specific use of the of interests properly. which the information does not qualify services by the user concerned. In the as personal data, namely, where the case at hand, Germany collected and tfabo fjmif`^qflkp lc qeb identification is prohibited by law or used the personal data of visitors to its _obvbo orifkd where it is practically impossible. websites, without their consent, for the The ruling is relevant to all parties that However, it is unclear whether this test much broader purpose of ensuring the collect and use IP addresses, including will be met if (only) the law of the general operability of its services and for website analytics or online country in which the website operator of preventing cyber attacks beyond the advertising. This is because the is established prohibits the identifica- specific use of the website. definition of personal data in the GDPR tion. Or do website operators poten- The CJEU first briefly considered is largely the same as under the tially have to assess the possible legal whether the processing of personal data Directive, although it specifically avenues of third parties (including at issue is excluded from the scope of includes online identifiers by way of competent authorities) under the the Directive under Article 3 (2). Pur- example. The ruling might even have national laws of other EU Member suant to this Article, the Directive does ramifications outside the online world in States or even third countries, too? It is not apply to processing operations the context of the use of pseudonymous also unclear what it would take to meet concerning state activities in the area of data and anonymization.