IP Addresses Are Protected Personal Data, EU Top Court Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

Oct. 19 — Internet protocol addresses relating to visitors’ use of websites constitute protected data under European Union laws, the EU’s top court ruled Oct. 19 ( Breyer v. Bundesrepublik Deutschland , E.C.J., No. C-582/14, 10/19/16 ).

But website operators may have “legitimate interests” for storing that data to protect against cyberattacks, the Court of Justice of the European Union (ECJ) said.

The ruling may force changes in the operations of online companies that have EU operations—or that have customers there—and identify users by their IP addresses for tracking or other purposes, privacy officials say.

Internet protocol (IP) addresses are protected under European Union laws only when they can “likely reasonably” be combined with identifying information held by other parties, the EUs top court ruled.

The Luxembourg-based European Court of Justice found that dynamic IP addresses registered by a public website operator are personal data, but only if the operator “has the legal means enabling it to identify the visitor with the help of additional information which that visitors' internet service provider has.”

Berend van der Eijk, a data protection associate Bird & Bird LLP and attorney in The Hague, told Bloomberg BNA Oct. 19 that the ruling means that online companies such as social media networks, search engines and others can no longer assume that just because they don't hold all pieces of the identification puzzle for certain IP data, a court wont find that data is personal data, with all the restrictions that entails.

Gabe Maldoff, London-based privacy practice associate at Bird & Bird and former Westin Fellow at the International Association of Privacy Professionals, told Bloomberg BNA Oct. 19 that “this decision reflects a growing awareness that seemingly anonymous data can be used to identify individuals.” Maldoff said that “for organizations that collect IP addresses, this means that even if you can't identify individuals from it, the fact that others can could subject you to European data protection requirements.”

As the new EU General Data Protection Regulation (GDPR) takes effect in May 2018, “U.S. organizations will need to pay attention to how they protect any IP addresses they collect,” Maldoff said. Keeping IP addresses “secure is one thing, but you will also need to make sure you have a lawful basis to store the IP address in the first place,” he said.

Germany's Federal Data Protection Commissioner Andrea Voßhoff said Oct. 19 that the ECJ is “setting a further signal for the necessity of a strong data protection framework in our increasingly digitized world.” The development is “very important for the uniform implementation of the GDPR entering into effect in May 2018.”

U.S. Data Collection Impact

U.S. companies that do business in the EU, such as Alphabet Inc.'s Google, Amazon.com Inc., Facebook Inc. and others that log users' IP addresses, may feel the impact from the decision.

Based on the ECJ's ruling, Van der Eijk said individual countries' courts will now have to assess whether local law enforcement officials be able to obtain additional identifying data from an internet service provider (ISP).

“Maybe in some countries and some cases it will be still extremely difficult to get information, and in such cases the dynamic IP might not qualify as personal data,” Van der Eijk said.

One lesson is that companies may need to update how they anonymize data, with the ruling in mind, the practitioners agreed. Data that companies considered anonymized could still be determined to be personal data, because just deleting identifying data might not be sufficient. Its also necessary to see what other means exist, through external parties, “to re identify that data,” Van der Eijk said.

U.S. companies may no longer assume that data that doesn't directly identify a person isn't considered personal data, van der Eijk said. Additionally, the ECJ ruling may apply to static IP addresses, he said.

Companies must explore legal means that are “reasonable” and “likely” to be used to identify a data subject in a particular situation, van der Eijk said. “They have to really look at what kind of data they hold, and what kind of data they would need to get for that data to be personal data for individuals, and how easy it is to get,” he said.

Underlying Case

Unlike static IP addresses, a dynamic IP address is different each time a user connects to the internet, making it impossible to establish a link between a specific computer and the physical connection to the internet service providers. Thus, more data is needed to identify a person with dynamic IP address.

Yann Padova, former secretary-general of Frances data protection authority, told Bloomberg BNA Oct. 19 that in Scarlet Extended SA v. SABAM, No. C-70/10 (ECJ, Nov. 24, 2011), the ECJ already ruled that IP addresses are personal data.

The ECJ noted its Oct. 19 decision is a preliminary ruling in response to two questions posed by Germany's Federal Court of Justice: Whether dynamic IP addresses collected by a website operator constitute protected personal data, and whether a stipulation under German data protection law that, if users IP addresses are personal data then they can't be stored without the users' consent, violates the EU data directive.

In the underlying case filed in a German local court in 2008, a state lawmaker challenged the German federal governments storage of dynamic IP addresses of people using government web-sites. The government argued that logging visits to its websites is necessary for security reasons, and that it was unable to link the information back to any specific person.

Legitimate Use

Van der Eijk said the court also found that EU countries can't restrict the way data controllers legitimately collect and use personal data in accordance with the EU Data Protection Directive (95/46/EC).

The ECJ said the EU data directive allows a data controller, or third party to which the data are transmitted, to process the personal data without the user's consent to achieve a legitimate objective—such as ensuring continued operation of a website. The ECJ said in the ruling that an EU country can't enact laws precluding such uses.

Van der Eijk many data protection authorities have said you can only process personal data for advertising purposes with consent online. “The ruling indicates that any legislation that would state that is void, because of the applicability of article 7F of the EU Data Protection Directive,”

“This may give companies grounds to challenge certain limitations for use and collection of data,” he said.

Padova said that the ruling illustrates “that with the crossing of data, and several changes in definition, personal data is a legally unstable notion.”

Padova cautioned against “over-interpreting” the ruling. ”It is significant, but it has a very specific, and new,” he said.

By Rick Mitchell

With assistance from Jimmy H. Koo in Washington and Jabeen Bhatti in Berlin

To contact the reporter on this story: Rick Mitchell in Paris at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com

For More Information

The ECJ ruling is available at http://src.bna.com/juA.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.