On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.
The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.
IP Addresses as Personal Data
The BGH’s first question to the ECJ was whether an IP address is considered personal data (i.e., any information relating to an identified or identifiable natural person) under the EU Data Protection Directive (Directive 95/46/EC). In answering the BGH’s first question, the ECJ confirmed that dynamic IP addresses are considered personal data within the meaning of the Directive in circumstances where the data collector (e.g., a website operator) is likely or reasonably able to obtain information from a third party that would allow it to identify the user. In this case, the Court observed that the German website operator could report potential cyberattacks to the police or public prosecution, who would use the IP address to obtain the identity of the attacker from the third party internet service provider, and then make it available to victims (i.e., the German website operator) who request to inspect the records.
Preventing Cyberattacks is a Legitimate Interest
The BGH’s second question was whether the German Telemedia Act, which permits the collection of usage data that identifies individuals exclusively for the purpose of rendering a service and billing, conflicts with the Directive’s rules regarding the collection and processing of personal data. The ECJ held that the German law was too restrictive and should also allow for lawful processing of personal data if necessary to achieve a “legitimate interest” of the data controller. This may include the logging of IP addresses in order to thwart and trace cyberattacks. However, the ECJ also made clear that this objective must still be balanced against the interests and fundamental rights of the visitors of the website.
While the ECJ’s decision confirms that IP addresses may be personally identifiable, this classification is not universal. The ECJ’s decision makes clear that classifying certain data elements as personal data may depend on the actual capabilities of the data collector. In particular, if the website operator cannot legally access third party information that could be used to identify an IP address owner, or if access to such third party information is “practically impossible”, then the IP address is not personal data from that operator’s perspective. This may also be true for other data elements or indirect identifiers that are not traditionally considered personal data, such as device IDs.
On the one hand, the ECJ’s expansive definition of personal data will require data collectors to take an extra step and consider whether they can use each particular data element, in combination with other data to which they may have access, to indirectly identify an individual. On the other hand, the definition depends on each entity’s access to additional information. This means that data controllers might be able to employ pseudonymisation to escape the strict requirements of European data protection laws altogether, and particularly when engaging data processors in third countries such as the US. If data controllers replace all identifying data with a label or number that is arbitrary to the processor, then that data will not be personal data from the processor’s perspective. The controllers themselves could nevertheless retain their ability to identify individuals and relate the results of the processing.
It still remains to be seen how the BGH and other national courts will balance the interests of the website owners and their visitors. While the ECJ acknowledged that combating potential and concrete cyberattacks is a “legitimate interest” of a website operator, the national courts (or the ECJ under the forthcoming General Data Protection Regulation) may later draw a line that will prevent operators from excessive logging and from keeping the logs for longer than necessary. Furthermore, the Directive does not allow using the so-collected data for other purposes, and the decision should therefore not be considered a carte blanche.