[BreachExchange] Court confirms that IP addresses are personal data in some cases

[Audrey McNeil]

http://www.jdsupra.com/legalnews/court-confirms-that-ip-addresses-are-35566/

On 19 October 2016, the Court of Justice of the European Union (the
"CJEU")  published its judgment in Case 582/14 – Patrick Breyer v
Germany, in which it held that IP addresses are personal data in
certain circumstances. The judgment is broadly in line with the
Advocate General's Opinion in this case, from May 2016, which we
reported previously.

The case involves websites operated by the Federal Republic of Germany
(the "BRD"). Like many website operators, the BRD records the IP
addresses of visitors of its websites. Patrick Breyer (a member of the
Pirate Party) sued the BRD, claiming that: (i) IP addresses qualify as
personal data under EU data protection law; and (ii) that the BRD
therefore required consent from individuals in order to process such
data.

On appeal, the Regional Court of Berlin (the "Kammergericht") ruled
that IP addresses in the hands of website operators could qualify as
personal data if the relevant individual provides additional details
to the website operator (e.g., name, email address, etc.) in the
course of using the website. Both parties subsequently appealed this
ruling to the German Federal Court of Justice (the "BGH"). The BGH
referred two questions to the CJEU regarding the interpretation of
Directive 95/46/EC (the "Directive") in this context. In particular,
the BGH asked the CJEU to determine whether dynamic IP addresses are
personal data in the hands of a website operator, if a third party
(e.g., an Internet Service Provider ("ISP")) holds additional
information (e.g., account details) that can be used to link those
dynamic IP addresses to the identity of the relevant individual.

The CJEU's analysis

How are personal data defined?

Personal data are defined in Article 2(a) of the Directive as "any
information relating to an identified or identifiable natural person
(‘data subject'). An identifiable person is one "who can be
identified, directly or indirectly […]" (emphasis added). Further
analysis of the issue of identifiability is provided by the EU's
Article 29 Working Party, in its Opinion 4/2007.

What are dynamic IP addresses?

In the present case, Mr Breyer's IP address was dynamically allocated
(i.e., each time he connects to the network, his device is issued with
a new IP address). Ordinarily, a dynamic IP address does not provide a
website operator with sufficient information to directly identify an
individual user, unless additional information is also available
(e.g., the user logs into the website and provides information that
enables the website operator to identify that user). The parties
agreed that the IP address in question did not directly identify Mr
Breyer.

Is the test for identifiability objective or relative?

The critical issue was whether Mr Breyer was indirectly identifiable,
from his dynamic IP address in combination with other available
information. The CJEU turned to Recital 26 of the Directive which
states that "to determine whether a person is identifiable, account
should be taken of all the means likely reasonably to be used either
by the controller or by any other person to identify the said person".

Although Mr Breyer's dynamic IP address did not directly identify him,
the parties all agreed that he could be indirectly identified by the
combination of his IP address plus the account data held by his ISP. A
key question for the Court was whether the test for determining
identifiability is either:

objective (i.e., the IP address is personal data in everybody's hands
because the ISP can link the IP address to Mr Breyer's real world
identity, even if nobody else can do so); or
relative (i.e., the IP address is personal data in the ISP's hands,
but would not be personal data in the hands of another party that had
no lawful means of accessing the information held by the ISP).

Although the CJEU did not expressly resolve this question, it is clear
from the judgment that the Court adopted the relative criterion. Where
a piece of information (such as an IP address) does not directly
identify a person, that piece of information will nevertheless be
personal data in the hands of any party that can lawfully obtain
sufficient additional data to link the information to a person's real
world identity. On the other hand, that same piece of information will
not be personal data in the hands of a party that has no legal means
of obtaining sufficient additional data to make such a link.

What makes a dynamic IP address personal data?

The CJEU decided that a dynamic IP address will be personal data in
the hands of a website operator if:

there is another party (such as an ISP) that can link the dynamic IP
address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the
information held by the ISP in order to identify the individual.

On the facts, if the BRD has the legal power to compel the relevant
ISP to disclose sufficient information to identify Mr Breyer, then Mr
Breyer's IP address will be personal data in the hands of the BRD.

Impact on businesses

The CJEU's decision in Breyer expands upon its previous decision in
Case C-70/10 – Scarlet Extended(in which the Court held that IP
addresses constitute personal data, but offered very little analysis
as to why that was the case). The impact of the Breyer decision on
businesses remains to be seen. If a business collects and processes IP
addresses, but has no legal means of linking those IP addresses to the
identities of the relevant users, then those IP addresses are unlikely
to be personal data. However, businesses should note that if they have
sufficient information to link an IP address to a particular
individual (e.g., through login details, cookies, or any other
information or technology) then that IP address is personal data, and
is subject to the full protections of EU data protection law. For many
businesses, this is likely to require a review of how IP addresses are
handled in the context of activities such as customer engagement,
website analytics, targeted online advertising, and so on.

It is also unclear what businesses could do to avoid this problem. For
example, a business could contractually oblige individuals not to
provide additional information linking their IP address to their
identity (e.g., through its website Terms & Conditions). But if an
individual provided that additional information (albeit in breach of
contract) it seems that the relevant IP address may nevertheless be
personal data.

In addition, businesses should note that Recital 26 to the recently
adopted EU General Data Protection Regulation ("GDPR") states that the
test for whether a person is "identifiable" (considered in detail
above) depends upon "all the means reasonably likely to be used" to
identify that person. The CJEU in Breyer did not directly consider the
issue of likelihood of identification. If the BRD was not reasonably
likely attempt to identify Mr Breyer from his IP address, this could
potentially give rise to a different analysis under the GDPR.
Consequently, it may be necessary for the CJEU to revisit this issue
after enforcement of the GDPR begins on 25 May 2018.