Abstract
CJEU decision concerning the processing of personal data by a German state agency in regard to dynamic IP addresses. Answers the question: Do IP addresses count as personal data?
This was decided pre-GDPR (2016), based on Directive 95/46, but it helps to see historical decisions.
Case summary
- Mr. Breyer accessed several German Federal Institutions websites
- The sites stored information on all access operations in log files
- Information stored included name of the web page, terms entered in the search fields, time of access, quantity of data transferred, an indication of whether the access was successful and the IP address
- First action was dismissed
- The national court ordered the Germany to refrain from storing or arranging with third parties to store information relating to Mr. Breyer’s access including his IP address and any information that could result in revealing his identity
- Court also stated that a dynamic IP address together with the date on which the website was accessed, where the user had revealed his identity during that consultation period, amounts to personal data since the user’s identity is tied to that particular dynamic IP address
- In cases where the user does not reveal their identity and only the ISP knows, it doesn’t amount to personal data
Answered questions
- Whether a dynamic IP address constitutes personal data as defined under Article 2(1)(a) Directive 95/46 where a third party has additional knowledge required to identify a data subject.
- Whether Article 7(1)(f) prevents a provision in national law that allows a service provider to collect and use personal data without the data subject’s consent for purposes of ensuring general operability of the tele-medium.
Summary
- A dynamic IP address alone doesn’t amount to information of an identified person; for it to fall under the definition in Article 2(1)(a) Directive 96/45 there must be additional data that can lead to the identification of a natural person.
- Recital 26 Directive 95/46 states that to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person → this was kept for GDPR
- Paragraph 15 of TMG (now outdated) was invalid as it reduced the scope of the principle laid down in Article 7 of Directive 95/46.
More: GDPRhub