CJEU Rules that Dynamic IP Addresses can be Personal Information

On October 19^th, 2016, the Court of Justice of the European Union (CJEU) ruled in the case of Patrick Breyer v Bundesrepublik Deutschland. This case involved the German government’s collection of IP addresses from the users of some of its websites. The applicant, Mr Breyer, brought an action before the German courts seeking an order restraining the Federal Republic of Germany from storing the applicant’s IP address for any reason other than to restore media in the event of a failure.  Germany relied on domestic law that permitted online service providers to collect and use personal data, without consent, only to the extent necessary in order to facilitate, and charge for, the use of online services.

The German Federal Court of Justice referred the case to the CJEU to answer two questions with respect to the interpretation of the European Union’s Data Protection Directive (95/46/EC):

1. Should the Directive be interpreted to consider IP addresses collected by website operators to be personal information, even where a third party has the additional information required to make that information personally identifiable?
2. Does the Directive preclude legislation from a Member State that allows an online media service provider to collect and use personal data, without consent, only to the extent necessary in order to facilitate, and charge for, the specific use of services?

The CJEU answered the first question in the affirmative, finding that even dynamic IP addresses are personal information under the Directive where the website provider has the legal means to identify the data subject using additional data held by a third party, in this case a user’s internet service provider. Under German law, there are legal avenues that allow website operators to, in the event of cyberattacks, contact the competent authority in order to obtain additional information to identify a data subject for the purpose of bringing legal proceedings.

On the second question, the Court again sided against Germany.  The Directive allows for data holders to pursue “legitimate interests” in processing personal data, except where those interests are overridden by the privacy rights of the individual.  The CJEU reasoned that the German law carved out a definitive category of personal information that an organization can collect and use without balancing the privacy rights of the individual, as required by the Directive.