On October 19, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses may qualify as “personal data” under EU privacy law. As we covered here on the blog a few months ago, this decision is significant because it clarifies that companies that collect, store, process, and/or transfer dynamic IP addresses belonging to EU users may have to treat them in accordance with the stringent restrictions that EU law imposes on the handling of personal data. As a refresher, an IP (short for “Internet protocol”) address is a series of numbers allocated to a specific device that identifies a device and allows it to access an electronic communications network, such as the Internet. IP addresses can be either “dynamic” or “static”; dynamic IP addresses, which are more common, change every time the device connects to the Internet, while static IP addresses remain constant and do not change every time the device re-connects.
Although the decision was not surprising – both because static IP addresses have been more widely recognized as personal data for some time, and because Advocate General Manuel Campos Sánchez-Bordona issued an opinion advising the court that it should recognize dynamic IP addresses as personal data several months ago – it means that companies should determine whether or not they already have been treating any dynamic IP addresses they collect as personal data and, if necessary, change their practices to accommodate this new ruling.
The case made its way to the EU’s highest court from the German courts, where politician Patrick Breyer originally brought the action. As we covered in detail in our earlier post, Breyer sought an order restricting German government websites from collecting and storing the dynamic IP addresses of Internet users who accessed those sites, claiming that a dynamic IP address – combined with additional information such as the date of access – could be used to identify a user, thereby making it “personal data” under Article 2 of the EU Data Directive. In this case, the German government only collected users’ dynamic IP addresses and could not identify users on this basis alone; however, it could identify its websites’ users by obtaining additional information from individuals’ Internet service providers and reviewing that information in combination with the dynamic IP addresses. Moreover, the German government had the legal authority to obtain this additional information from the Internet service providers. The CJEU’s ruling therefore was limited to this specific context, as the court held that dynamic IP addresses constitute personal data where an “online media services provider […]has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.”
Regardless of the somewhat specific scope of the decision, the larger takeaway from the CJEU’s ruling is that a dynamic IP address may qualify as personal data if the “online media services provider” (a term which likely includes any company with a website) collecting the dynamic IP addresses has the legal means to obtain additional information that, in combination with the dynamic IP addresses, will allow the entity to identify users. In theory, the decision leaves open the possibility that not all dynamic IP addresses may be considered personal information in every situation. For example, if a provider collects dynamic IP addresses and does not have legal access to any other source of information about its users and therefore cannot identify them, the dynamic IP addresses may not qualify as personal data. Additionally, the CJEU’s ruling that a service provider have the “legal means” to obtain this third party data indicates that, in practice, the court’s holding may constrain government actors more than private entities, as government actors may be more likely to have the legal right to obtain this additional information.
As always when determining whether certain information is “personal data” under the Directive, the primary question is whether the information allows a party to identify the data subject. Companies that offer “online media services” (which, again, likely means most companies) therefore should evaluate whether or not they collect dynamic IP addresses, how they use them, and whether data subjects are identifiable through those dynamic IP addresses – even if making the actual identification requires the (legal) collection of additional information from a third party.
The press release announcing the ruling may be found here.