In a ruling with significant potential impact, the Court of Justice of the European Union (CJEU) has ruled that a dynamic internet protocol (IP) address may constitute "personal data" under EU Data Protection Directive (EC/95/46). If the person's identity can be combined by using the IP address and additional data, the EU Data Protection Directive applies.
Patrick Breyer v. Bundersrepublick Deutschland (Breyer) dealt with a dispute between a German citizen and the German government. Various public institution websites operated by the German government stored user IP address information, search terms, date of access, and quantity of data in log files for the purpose of preventing cyberattacks and identifying attackers. After accessing several of these websites, Mr. Breyer complained that his IP address information should be classified and treated as personal data under the Directive. The German government argued that IP addresses are not personal data, as Mr. Breyer could not be identified as the website user without the German government obtaining other corresponding information from an internet service provider.
Under the Directive, "personal data" is defined as "any information relating to an identified or identifiable natural person." A similar definition is used in the General Data Protection Regulation (GDPR), which goes into effect in May 2018.
In adopting the view of opinion of Advocate General Manuel Campos Sánchez-Bordona dated May 12, 2016, the court ruled that data may be deemed "identifiable" even if legal means are required to make the person identifiable. The court stated that even though dynamic IP addresses may not on their own be sufficient to identify a data subject, they should still be considered personal data where an internet service provider may provide additional information to identify the data subject, even if this is done pursuant to a request from a competent authority such as law enforcement agency. For example, entities often turn to the authorities for assistance in acquiring the information necessary to identify suspects of cyberattacks.
An exception to this may arise in cases where the identification of the individual is prohibited by law or practically impossible because it requires a disproportionate effort in terms of time, cost and manpower, so that the risk of identification would appear in reality to be insignificant.
The CJEU's ruling in Breyer materially broadens the definition of personal data under the Directive, and may foreshadow how IP addresses are handled under the GDPR (effective May 2018), insofar as the regulation currently defines personal data in the same manner as the Directive. In addition, it is yet to be seen whether this broad definition of what makes data "identifiable" could affect the implementation of the concept of "psuedonymization" used in the GDPR as a means to ensure the security of data, the lawfulness of processing, or enable research. Psuedonymization relies on data not being attributed to "a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."
The information held by the ISP in Breyer was kept separate from the government's information and was subject to such technical and organizational measures but was nevertheless held to identify Mr. Breyer. U.S. multinationals and companies providing services to EU residents would be advised to include their collection and use of IP addresses in their assessment of how they process personal data in order to prepare for the GDPR coming into effect in May 2018.
