On 19 October the Court of Justice of the European Union issued its long awaited judgment on dynamic IP addresses (judgment in Case C-582/14: Patrick Breyer v Bundesrepublik Deutschland). The judgment will have a general impact on how to define ‘personal data’ beyond dynamic IP addresses and how this could affect some providers.
First, the basics… What is an Internet Protocol (or IP) address? Well, an IP address is like a postcode which is assigned to your internet enabled device (computer, phone, ipad etc.). Only instead of a letter, which is delivered to the recipient of a post code, it is internet traffic which is delivered to the recipient of an IP address.
Your IP address is assigned to you by your Internet Service Provider (ISP) and when you signup with your ISP, your ISP either assigns you a static IP address or a dynamic IP address depending on the contract. If you need to setup a web server or an email service, you’ll need a static IP address.
If, however, you are just browsing the internet, you can get by with a dynamic IP address which is cheaper than a static IP address and can afford more privacy, as your ISP can dynamically assign an IP address to your networking device each time your computer or router is rebooted, meaning that only your ISP provider has the additional information necessary to identify you.
Are you still with me? Good.
So, why is this all of this relevant? Recently a privacy activist and German Pirate Party politician named Patrick Breyer brought an action before the German courts seeking an injunction to prevent websites, run by the Federal German institutions that he consults, from registering and storing his internet protocol addresses. Those institutions register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.
The German Federal Court of Justice in turn made a referral to the Court of Justice asking whether ‘dynamic’ IP addresses also constitute personal data in relation to the operator of the website, and whether they would therefore benefit from the protection provided for such data.
By the CJEU’s judgment of 19 October 2016, the Court first of all confirms that a dynamic IP address does constitute personal data when it is registered by an ‘online media services provider’ (that is by the operator of a website) and it does constitute personal data with respect to the operator, if the operator has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has.
In reaching its judgment, the Court appears to have placed some reliance on the fact that legal channels exist enabling online media services providers to compel ISPs to disclose identifying information in order to identify and prosecute those responsible for cyberattacks.
In this case, the CJEU said that the federal German institutions running the websites in question “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites,” when protecting their sites against online attacks.
The case now goes back to the German Federal Court of Justice, which will make its judgment based on the CJEU’s opinion. Given the top court’s reasoning, it seems likely that Mr Breyer will not be granted an injunction restraining Germany’s federal sites from storing data about his visits.
Website operators however, now face the prospect that information previously considered to be innocuous “log file data” now needs to be classed as personal data. As such it will be subject to applicable protections under European data protection legislation.
The judgment does not necessarily mean that dynamic IP addresses will be personal data in every context as the ruling focuses on “online media services providers” (i.e. website operators and mobile app providers). In the hands of others – who may not be able to compel ISPs to disclose the relevant users’ identities in the same way that website operators can – dynamic IP addresses may not constitute personal data.
For the internet, as for people then, it appears that dynamism will continue to be the source of some reverence for some time to come.