In a decision dated October 19, 2016, the Court of Justice of the EU has finally concluded that “a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.”
According to the CJEU, a dynamic IP address will be considered personal data under EU law even though the collection and identification of the address is carried out by a third party ISP.
Mr Breyer, a resident of Germany, brought an action before the German administrative courts seeking an order restraining the Federal Republic of Germany from storing, or arranging for third parties to store, after consultation of the websites accessible to the public run by the German Federal institutions’ online media services, the IP address of the applicant’s host system except in so far as its storage is unnecessary in order to restore the availability of those media in the event of a fault occurring.
The Bundesgerichtshof (Federal Court of Justice) referred the matter to the highest court of the EU. The CJUE, in the case of Scarlet Extended, already held that IP addresses are considered personal data in that they permit the precise identification of a particular individual. But in that earlier case the collection and storage of the addresses were performed directly by the website operator, whereas in the present case it is the ISP who has access to the data, not the operator of the website to which a particular user connects using his personal device.
Under Article 2 of Directive 95/46 (the “Privacy Directive”),“personal data” is defined as “any information relating to an identified or identifiable natural person”, whereas an identifiable person is one “who can be identified, directly or indirectly“, using all the means likely reasonably to be used either by the controller or by any other person to identify the said person (Recital 26 of the Directive).
Therefore, concludes the Court, the fact that the data is held by a third party shall not imply that the data isn’t considered personal data under the law, particularly since the website collecting the information does have the legal means to obtain from the ISP, via the local authorities, the data which it has about that person.
The Court then had to decide whether the consent of the individual whose personal data is being collected was required, from the moment that German law only provides for an exception for invoicing purposes. The website invoked the necessity to ensure the general operability of the services it provides through the website, including for the purpose of preventing cyberattacks and making it possible to prosecute ‘pirates’.
The Directive also provides that no consent is required where, pursuant to Article 7(f), the ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed’. The Court however found that the German legislation is more restrictive than Article 7 of the Directive which “precludes the legislation of a Member State under which an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after consultation of those websites.”