[BreachExchange] IP Addresses as Personal Data – Website Providers To Come Under Even More Scrutiny With EU Data Privacy Law

[Audrey McNeil]

http://www.jdsupra.com/legalnews/ip-addresses-as-personal-data-website-91710/

Website providers that collect dynamic Internet Protocol addresses (“IP
address”) from website visitors may soon be subject to even more scrutiny
from data protection authorities in the EU.

Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of
the advisors to the European Court of Justice, “ECJ”) released an opinion
which, if followed by the ECJ would end a long debated question whether IP
addresses are personal data subject to EU data privacy law. The Advocate
General takes the view that dynamic IP addresses are personal data when
being in the hands of a website provider when a third party (e.g. the
internet access provider) has access to additional information that would
enable identification of the Internet user.

Online activity of Internet users—such as analytics information tied to IP
addresses—is often collected and used by website providers for purposes
such as marketing and website optimization.  Such information is often
collected and retained for a longer period of time without acquiring the
individual’s consent even though consent may be required. This opinion is
of paramount interest for any such website provider.

Under EU privacy law it has long been debated whether a dynamic IP address
qualifies as “personal data” even if it alone does not enable the recipient
to identify the user. EU Directive 95/46/EC states in its Recital 26: “(26)
Whereas the principles of protection must apply to any information
concerning an identified or identifiable person; whereas, to determine
whether a person is identifiable, account should be taken of all the means
likely reasonably to be used either by the controller or by any other
person to identify the said person;…”;

So far, it is highly disputed whether information in the hands of a third
party such an internet access providers is “likely reasonably to be used
by” for example, a website provider.

For example, the German Data Protection Authorities classify IP addresses
as personal data in general while many legal scholars and also the German
courts tend to take a more fact specific view and regard IP addresses as
personal data only if they believe that the entity collecting the IP
address also has reasonably easy access to additional information that
allows the identification of the user. Also on the EU level, most often, IP
addresses are considered personal data and the upcoming General Data
Privacy Regulation confirms this view.

However, even before the General Data Privacy Regulation comes into force,
the debate may soon come to an end.  The Advocate General’s opinion was
delivered in a case that was referred to the ECJ by German Federal Supreme
Court (Bundesgerichtshof, “BGH”). The German politician Patrick Breyer
lodged a case against the German government requesting it to stop storing
dynamic IP addresses from visitors to German government websites for longer
than was necessary to deliver the website content. The government stores IP
addresses in log-files for a longer period in order to enable the
identification and prosecution of attackers and hackers. Breyer argues that
the IP addresses could be linked back to him and would thus constitute
personal data.  The Advocate General’s opinion agrees with this argument,
and while not binding on the ECJ, is likely to be highly persuasive to the
ECJ.

In a ruling rendered on 17 December 2014, the BGH referred the following
questions to the ECJ:

1. Whether, under Article 2a of the EU Data Protection Directive 95/46/EC,
an IP address is personal data when the IP address is stored by a website
provider and a third party (e.g., an internet access provider) possesses
sufficient additional data to identify the user.
2. Whether Art. 7f of the EU Data Protection Directive is contrary to a
provision in a national member state’s law according to which a website
provider may collect and process the personal data of users without their
consent only to the extent it is necessary to (1) enable the general
functionality of the website or (2) arrange payment. In addition, the
relevant provision of the national member state’s law states that enabling
the general functionality of the website does not permit user data to be
processed after the user closes, or navigates away from, the website.

For the first question, according to the Advocate General, IP addresses
that a website provider stores when its website is accessed by website
visitor constitute personal data under EU data protection law, even if
additional information necessary to identify the data subject is only in
the possession of the internet access provider. Contrary to the view of the
Federal Republic of Germany, which argued that such third party knowledge
was not relevant since the internet access provider would only be permitted
to disclose such information in very limited situation, the Advocate
General argued that possession by the access provider was relevant and
decisive. The Advocate General argued that even such limited situation of
data disclosure by the website provider would be sufficient to assume that
such knowledge of the website provider would be “means likely reasonably to
be used by third parties” (see no 26 of the recitals of EC Directive
95/46/EC).

This is a fairly broad view of third party knowledge, as a website operator
has only very limited means to request such information from an internet
access provider.

For the second question, the Advocate General stated that EU Member States
cannot completely forbid the retention of IP addresses where they are
retained for the legitimate interest of a website operator to enable the
use of its website.

If the ECJ’s final decision follows the Advocate General’s opinion, it
would mean that:

- Any recording, storage or use of dynamic IP addresses by website
providers beyond the period of use for a clearly defined purpose would
require consent of the Internet user, unless the website service provider
can demonstrate that the retention of IP addresses is necessary to ensure
proper functioning of such website.
- Website providers that have before relied on the assumption that dynamic
IP addresses are not personal data and as such not covered by EU data
privacy law would have to rethink and re-evaluate the processing of IP
addresses and the ways to achieve their data privacy compliant processing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/db246f9c/attachment.html>