Much has been written in the past 2 weeks about the U.S. Presidential election. Time now for a diversion into the exciting world of data privacy and “personal data”. Because in the highly refined world of privacy and data security law, important news actually happened in the past few weeks. Yes, I speak breathlessly of the European Court of Justice (ECJ) decision on October 19th that IP (internet protocol) addresses are “Personal Data” for purposes of the EU Data Directive. This is bigly news (in the data privacy world, at least).
First, what the decision actually said, which leads immediately into a riveting discussion of the distinction between static and dynamic IP addresses.
The decision ruled on a case brought by a German politician named Patrick Breyer, who sought an injunction preventing a website and its owner – here, publicly available websites operated by the German government – from collecting and storing his IP address when he lawfully accessed the sites. Breyer claimed that the government’s actions were in violation of his privacy rights under the EU Directive 95/46/EC – The Data Protection Directive (Data Protection Directive). As the ECJ reported in its opinion, the government websites “register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.”
The case is Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, and the ECJ’s opinion was published on October 19th.
Like all internet users, Breyer’s internet activity was assigned a unique IP address by his internet service provider (ISP), in this case a “dynamic” IP address rather than “static”. An IP address enables correct communication of data from a website server to the correct recipient. In simple terms, a “static” IP address is one that is unchanged from use to use, while a “dynamic” address is changed each time the user accesses the internet. Most significantly, a static IP address is always associated with that user, making identification that much easier. A dynamic IP address, once used, is discarded and therefore has no association with that individual other than with that one-time use.
Although even that “simple terms” description isn’t quite right. For starters, while many ISPs do frequently and automatically change users’ IP addresses as a matter of course, a dynamic address is only “one-time” if it is actually changed from internet use to internet use. Unless changed by the ISP, this won’t necessarily happen unless the user reboots his or her router before each internet session.
This being a case involving a dynamic IP address, the website operator – again, the German government – argued that the data could not be used in order to identify an individual, and therefore a dynamic IP address should not be considered “personal data”. In response, the court first discussed the law, then discussed the facts.
First the law. The Data Protection Directive defines “personal data” as “any information relating to an identified or identifiable natural person”. Further, an “identifiable person” is
… one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity …. (EU Directive, Article 2, (a), emphasis added)
The ECJ first acknowledged that dynamic IP addresses could not – by itself – be used to “identify” a natural person, “since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.” Next, the court discussed the significance of the “identifiable” language in the same “personal data” definition, finding that “[T]he use by the EU legislature of the word ‘indirectly’ suggests that, in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified.” Rather, referencing Recital 26 of the Data Protection Directive, the court noted that “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” (emphasis added)
Breyer brought his claim under Section 15 of the German Telemedia Act (TMA), enacted under the umbrella of the Data Protection Directive and which restricts collection and use by German “telemedia” companies) of users’ personal data except as “necessary to enable and invoice the use of telemedia (data on usage)”. As discussed above, the German government argued not only that dynamic IP addresses are not “personal data”, but that collection and use was necessary in order to prevent cybersecurity attacks and to facilitate criminal proceedings. And as noted by Christoph Ritzer in the Data Protection Report, the court found that “In this context, the government would likely have a legitimate reason to demand that the internet service provider correlate the IP address to the account holder, and thus allow the government to re-identify the individual.”
Interestingly, in 2011 the ECJ ruled in the Scarlet Extended case that IP addresses were “personal data”, but the Scarlet case involved an ISP that collected the IP addresses and already had lots of other information about its customers, not (as in the Breyer case) a website operator who only had the IP address data. As noted in the PageFair blog coverage of the Breyer case, the Breyer distinction “has farther-reaching consequences: the ISPs in the [Scarlet] case already knew who their customers are, whereas the Breyer case affects any and all websites.”
So, in this particular circumstance where the website operator could reasonably be foreseen to seek to re-identify an individual user, it is not necessary that the data – by itself – allow the website operator to identify an individual, rejecting the German government’s argument that dynamic IP addresses could not be considered “personal data”.
And even so, concluding that dynamic IP addresses are “personal data” does not end the inquiry. In fact, it kind of makes it circular. Writes Rick Mitchell in Bloomberg Law, “IP addresses are protected under European Union laws only when they can “likely reasonably” be combined with identifying information held by other parties.” And – at least under the Breyer scenario – that “likely reasonably” situation is found when the website operator already has a legitimate interest in collecting and using the IP address. The forseeability of that “likely reasonably” scenario elevates the IP address into the category of protectable “personal data”, but that same scenario is enough justification to warrant such collection and use.
And therefore, what’s the point of saying that this is now “personal data”? The website operator (or the government, as in Breyer’s case) can use it anyway.
And therefore, what’s the point of saying that this is now “personal data”? The website operator (or the government, as in Breyer’s case) can use it anyway. Christoph Ritzer makes this same point:
… when dynamic IP addresses or other indirect identifiers become personal data in circumstances where there is no realistic intent or motive to re-associate [i.e. re-identify the previously anonymized user], but re-association is still possible, it is harder to tell if the test is now whether identification is a “practical impossibility because it requires disproportionate effort”. (quoting from the ECJ’s Breyer opinion).
That may be a point of confusion generated by the ECJ’s ruling, but the underlying sensitivity remains about taking care when anonymizing data to avoid the possibility of re-identification. As Mitchell writes in Bloomberg Law, “One lesson is that companies may need to update how they anonymize data, with the ruling in mind …. Data that companies considered anonymized could still be determined to be personal data, because just deleting identifying data might not be sufficient.”
Looking at Breyer from that perspective, the ruling is less a change than a restatement of the law about what kind of data constitutes “information relating to an identified or identifiable natural person”