A member of Germany’s Pirate Party – a pro-internet political movement, emphasizing the importance of fundamental personal rights – had sued the German State, because of its websites allegedly not treating his dynamic IP address in accordance with its data protection legislation. Whether Germany played by European rules went to Europe for the decision. The court denied the German State’s view on personal data, yet the claimant may still not be satisfied with the outcome.
CJEU: IP addresses as personal data for website Operators
According to the Court of Justice of the European Union (CJEU), dynamic IP addresses may be personal data for website operators and thus fall under the scope of data protection (CJEU, Judgement of October 19, 2016 – C-582/14
). Some European countries took this as a fact already.
Nevertheless it is interesting to take a closer look: Internet service providers (ISP) assign to users dynamic IP addresses, which change each time there is a new connection to the internet. And these ISP of course know the user’s real identity. The IP address is used for communication between users and websites. As a result, website operators know the IP addresses, but they cannot attribute them to specific users, unless helped by the ISP to establish the missing link of the constantly changing “dynamic” allocation to the ISP’s customer. Would then the IP address be a personal data for the website operator?
And here comes the law: The provisions concerning the protection of personal data only apply to data which can be attributed to a person who is at least identifiable. The CJEU states that in order to determine whether a person is identifiable, not only information at the data controller itself (such as website operators) is to be taken into account. Rather, additional data must be considered, which may be obtained by the data controller from a third party through legal means. Under certain conditions, German law permits the transfer of information on dynamically assigned IP addresses by the internet access provider to the website operator. Therefore, according to the CJEU, dynamic IP addresses (also) represent personal data for the website operator and are covered by data protection laws.
The CJEU thus issues a judgment on a controversial basic question of data protection: Which additional information, that is only available at third parties, is to be taken into account for the question as to whether information can be attributed to a natural person? According to the CJEU, all additional information is relevant, which can be obtained from a third party by legal means.
The irony of the proceeding sits elsewhere though: The CJEU also addressed Section 15 German Telemedia Act, which requires the deletion of usage data after the end of the actual use, unless they are required for billing purposes. This is in breach of EU law: The European Directive (95/46/EC
) also allows the use of usage data to maintain the functionality of generally accessible websites by their operators. Ultimately, this means that the use of personal data, which was targeted by the claimant, will likely be held legitimate by the German courts. The Defendant – the German state – has rather obviously not played by European rules, but will likely win the case because its own laws were too restrictive in protecting personal data compared to current European laws.Conclusion:
Personal data also covers information where the data controller is only able to identify a natural person by use of additional information, obtainable from third parties by legal means. In other words, not only the data available at the controller itself needs to be considered in order to determine whether a natural person is identifiable, but also such at third parties the controller may legitimately access.