Whether or not an IP address is “personal data” can be a crucial question because the answer determines whether or not the data is subject to the rigours of the EU Data Protection Directive (in the UK, the Data Protection Act).
An IP address is a number used to identify a device on a network. An IP address can be “dynamic” or “static”. A static IP address remains constant and does not change every time the device connects to the Internet. In contrast, the more usual dynamic IP address changes each time a new connection is made.
It has long been agreed that static IP addresses are personal data because they enable a link to be made with a particular device for profiling. IP addresses enable an individual to be “singled out” (even if that individual’s real-world identity remains unknown).
In its early opinion 4/2007, the Article 29 Working Party accepted that an IP address, for example, for a computer in an Internet café used by many people may not identify any particular individual. In other cases, however, the IP address can be associated with a particular user if for example there is a log of who used the computer at the relevant time. The Working Party therefore concluded that all IP information should be treated as personal data, “to be on the safe side”.
The question of whether a dynamic IP address can be “personal data” was less certain.
Patrick Breyer v Bundesrepublik Deutschland
The Court of Justice of the European Union (CJEU) has now ruled that dynamic IP addresses held by a website operator are personal data where the operator has “the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”.
While a dynamic IP address alone may not directly identify an individual, when combined with other information a dynamic IP address could be used to identify the individual user.
The question before the Court was whether a dynamic IP address can be personal data if the relevant additional information is in the hands of a third party (an internet service provider).
The case was brought by a politician, Mr Patrick Breyer, against the Federal Republic of Germany seeking to prevent them from storing, or arranging for third parties to store, his IP address from when he consulted publicly accessible websites of German Federal institutions. Mr Breyer claimed that IP addresses qualify as personal data under data protection laws; and therefore that consent was needed for processing such data.
If a user of a website reveals his identity on the website, for example by completing a form, then the IP address is certainly personal data because the operator of that website is able to identify the user by linking his name to his computer’s IP address.
However, if the user does not reveal his identity, the IP address alone does not enable the user to be directly identified. The website operator can identify the user only if the information relating to his identity is communicated to them by his ISP.
The court decided that the fact that the additional data necessary to identify the user are held, not by the website operator, but by the user’s ISP does not exclude dynamic IP addresses from being personal data. The question is whether the website operator has a legal way to obtain the additional data from the ISP. In that case it was decided that the Federal Republic of Germany did have a legal means to obtain the necessary additional information from the ISP and therefore the raw dynamic IP address data should be regarded as personal data. For information to be treated as “personal data”, it is not necessary that all the information enabling the identification of the data subject must be in the hands of one person.
The Court has decided that a dynamic IP address could – but will not always necessarily – constitute personal data. In light of this decision, businesses that have not up to now been treating dynamic IP addresses as personal data need to re-assess that position and may need to alter data compliance practices. This may for example impact businesses engaged in online analytics and targeted advertising.
It may be that the case highlights a possible difference between the UK Data Protection Act and the implementation of the Directive in other EU countries. In the UK, data is personal data if an individual can be identified from those data and from “other information which is in the possession of, or is likely to come into the possession of, the data controller”. Is data “likely” to come into the possession of a data controller where the only way for him to obtain it is to ask for it?
All this will soon become academic as, looking ahead to May 2018, the General Data Protection Regulation (GDPR) specifically includes online identifiers, such as IP addresses, in its definition of “personal data”. It’s not that the position is now beyond doubt, it’s just that the nature of the question is changing …
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org