On 19 October 2016, the Court of Justice of the European Union (CJEU) gave its judgment on C-582/14: Patrick Breyer v Bundesrepublik Deutschland, on the preliminary ruling concerning the interpretation of Articles 2(a) and 7(f) of the Data Protection Directive, on whether dynamic IP addresses constitute personal data and whether they can be processed in the legitimate interests of the website operators (such as for operability purposes).
Patrick Breyer, a German citizen, brought an action against the Federal Republic of Germany, as the operator of publicly accessible websites, to prevent the German public authorities from logging and storing his IP addresses when he browsed their websites. The German Federal Court of Justice referred two questions to the CJEU:
1. whether dynamic IP addresses of website visitors constitute personal data in relation to the website operator if only a third party (in this case, the internet service provider – ISP) can identify the visitor; and
2. whether Article 7(f) of the Data Protection Directive precludes such provision in national law which prevents the website operator from collecting and using a visitor’s personal data without the visitor’s consent for the purpose of ensuring the general operability of the website.
On the first question, the Court noted that dynamic IP addresses, which are assigned by the ISP to the user for a limited period of time, are different from static IP addresses, which are ‘invariable and allow continuous identification of the device connected to the network’ (¶36). Static IP addresses are generally considered to be personal data. The Court also noted that both static and dynamic IP addresses are considered as personal data with respect to the ISPs and their customers, as it held in Scarlet Extended.
In this case, the Court chose to apply the ‘relative’ or ‘subjective’ criterion to the qualification of dynamic IP addresses. According to this criterion, a dynamic IP address is personal data if it is legally and practically possible for the website operator to obtain additional data from the ISP to identify the visitor. In this case, the website operator cannot get the data from the ISP directly, even though the website operator is a public authority; nevertheless, there is the possibility under German law to have the visitor identified by the ISP, such as when there is a cyberattack launched from the visitor’s IP address. Therefore, the Court’s answer to the first question was affirmative: dynamic IP addresses are personal data to the website operator if the visitors are identifiable by the ISP.
On the second question, the Court first had to determine if the processing of personal data (IP addresses of the visitors to the government websites) is excluded from the scope of the Data Protection Directive altogether, because the Directive does not apply to personal data processing operations concerning the activities of the state in areas of criminal law (Article 3(2)). The Court concluded that the German federal institutions running the websites and collecting the IP addresses are to be treated as individuals, despite their status as public authorities, and their activities are hence covered by the provisions of the Directive.
The Court held that Article 7 of the Data Protection Directive sets out an ‘exhaustive and restrictive list’ of options in which the processing of personal data is lawful, and so a member state can neither expand nor limit the list. However, the German legislation does not contain the principle from Article 7(f) of the Directive, which allows the processing of data if it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)’. The German Federal institutions may have a legitimate interest in ensuring the functioning of their websites, and for this purpose they should be able to collect and use the IP address of a visitor’s device after it disconnects from the website. Therefore, the second question was also answered affirmatively by the Court: national law cannot limit the options for data processing as set out in the Data Protection Directive.
The Court’s argument in Breyer develops the case law with respect to IP addresses in a predictable way, generally following the opinion of the Advocate General in this case. However, in its answer to the first question, the Court’s ‘relative’ criterion of identifiability for treating dynamic IP addresses as personal data may seem practically obsolete. As noted by the Article 29 Working Party in Opinion WP 136, service providers such as website operators will rarely be able to tell, at the moment of collection, whether the identification of a particular IP address is possible by obtaining additional data from an ISP, let alone the question whether a particular IP address is static or dynamic. Consequently, they will have to treat all IP addresses as personal data, ‘in order to be on the safe side’. Possible exceptions may be the IP addresses of Tor exit nodes or VPN servers whose providers are unable (or unwilling) to identify the users, but even in those cases, the provider can be a natural person whose identity can be obtained and whose personal data has to be treated as such.
Another, probably more common avenue by which a dynamic IP address can be linked to a particular person is the use of login, cookies or trackers (see Opinion WP 148 of the Article 29 Working Party). All of these options are also covered by the new definition of personal data in Article 4(1) of the General Data Protection Regulation (GDPR) applying from 25 May 2018. This definition expressly mentions ‘online identifiers’, which presumably includes logins, cookies, trackers and IP addresses.
The answer of the Court to the second question regarding the ‘operability purposes’, is a welcome development from the cybersecurity perspective and may help online media service providers in the EU to better protect themselves from cyberattacks. By storing the visitors’ IP addresses in a list, they are able to blacklist those IP addresses by which their websites were attacked in the past, and they can redirect malicious requests to a sinkhole or a honeypot.
The ‘fundamental rights and freedoms of the data subject’ will also have to be taken into account when logging and storing the IP addresses or other online identifiers. In this, the Breyer case supplements the case law in Digital Rights Ireland and Schrems, and gives member states the chance to better regulate the fragile balance between data retention and personal data protection.
Tomáš Minárik and Audrey Garcia
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.