Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 19 — Internet protocol addresses relating to visitors’ use of websites constitute protected data under European Union laws, the EU’s top court ruled Oct. 19 ( Breyer v. Bundesrepublik Deutschland , E.C.J., No. C-582/14, 10/19/16 ).
But website operators may have “legitimate interests” for storing that data to protect against cyberattacks, the Court of Justice of the European Union (ECJ) said.
The ruling may force changes in the operations of online companies that have EU operations—or that have customers there—and identify users by their IP addresses for tracking or other purposes, privacy officials say.
Internet protocol (IP) addresses are protected under European Union laws only when they can “likely reasonably” be combined with identifying information held by other parties, the EUs top court ruled.
The Luxembourg-based European Court of Justice found that dynamic IP addresses registered by a public website operator are personal data, but only if the operator “has the legal means enabling it to identify the visitor with the help of additional information which that visitors' internet service provider has.”
Berend van der Eijk, a data protection associate Bird & Bird LLP and attorney in The Hague, told Bloomberg BNA Oct. 19 that the ruling means that online companies such as social media networks, search engines and others can no longer assume that just because they don't hold all pieces of the identification puzzle for certain IP data, a court wont find that data is personal data, with all the restrictions that entails.
Gabe Maldoff, London-based privacy practice associate at Bird & Bird and former Westin Fellow at the International Association of Privacy Professionals, told Bloomberg BNA Oct. 19 that “this decision reflects a growing awareness that seemingly anonymous data can be used to identify individuals.” Maldoff said that “for organizations that collect IP addresses, this means that even if you can't identify individuals from it, the fact that others can could subject you to European data protection requirements.”
As the new EU General Data Protection Regulation (GDPR) takes effect in May 2018, “U.S. organizations will need to pay attention to how they protect any IP addresses they collect,” Maldoff said. Keeping IP addresses “secure is one thing, but you will also need to make sure you have a lawful basis to store the IP address in the first place,” he said.
Germany's Federal Data Protection Commissioner Andrea Voßhoff said Oct. 19 that the ECJ is “setting a further signal for the necessity of a strong data protection framework in our increasingly digitized world.” The development is “very important for the uniform implementation of the GDPR entering into effect in May 2018.”
U.S. companies that do business in the EU, such as Alphabet Inc.'s Google, Amazon.com Inc., Facebook Inc. and others that log users' IP addresses, may feel the impact from the decision.
Based on the ECJ's ruling, Van der Eijk said individual countries' courts will now have to assess whether local law enforcement officials be able to obtain additional identifying data from an internet service provider (ISP).
“Maybe in some countries and some cases it will be still extremely difficult to get information, and in such cases the dynamic IP might not qualify as personal data,” Van der Eijk said.
One lesson is that companies may need to update how they anonymize data, with the ruling in mind, the practitioners agreed. Data that companies considered anonymized could still be determined to be personal data, because just deleting identifying data might not be sufficient. Its also necessary to see what other means exist, through external parties, “to re identify that data,” Van der Eijk said.
U.S. companies may no longer assume that data that doesn't directly identify a person isn't considered personal data, van der Eijk said. Additionally, the ECJ ruling may apply to static IP addresses, he said.
Companies must explore legal means that are “reasonable” and “likely” to be used to identify a data subject in a particular situation, van der Eijk said. “They have to really look at what kind of data they hold, and what kind of data they would need to get for that data to be personal data for individuals, and how easy it is to get,” he said.
Unlike static IP addresses, a dynamic IP address is different each time a user connects to the internet, making it impossible to establish a link between a specific computer and the physical connection to the internet service providers. Thus, more data is needed to identify a person with dynamic IP address.
Yann Padova, former secretary-general of Frances data protection authority, told Bloomberg BNA Oct. 19 that in Scarlet Extended SA v. SABAM, No. C-70/10 (ECJ, Nov. 24, 2011), the ECJ already ruled that IP addresses are personal data.
The ECJ noted its Oct. 19 decision is a preliminary ruling in response to two questions posed by Germany's Federal Court of Justice: Whether dynamic IP addresses collected by a website operator constitute protected personal data, and whether a stipulation under German data protection law that, if users IP addresses are personal data then they can't be stored without the users' consent, violates the EU data directive.
In the underlying case filed in a German local court in 2008, a state lawmaker challenged the German federal governments storage of dynamic IP addresses of people using government web-sites. The government argued that logging visits to its websites is necessary for security reasons, and that it was unable to link the information back to any specific person.
Van der Eijk said the court also found that EU countries can't restrict the way data controllers legitimately collect and use personal data in accordance with the EU Data Protection Directive (95/46/EC).
The ECJ said the EU data directive allows a data controller, or third party to which the data are transmitted, to process the personal data without the user's consent to achieve a legitimate objective—such as ensuring continued operation of a website. The ECJ said in the ruling that an EU country can't enact laws precluding such uses.
Van der Eijk many data protection authorities have said you can only process personal data for advertising purposes with consent online. “The ruling indicates that any legislation that would state that is void, because of the applicability of article 7F of the EU Data Protection Directive,”
“This may give companies grounds to challenge certain limitations for use and collection of data,” he said.
Padova said that the ruling illustrates “that with the crossing of data, and several changes in definition, personal data is a legally unstable notion.”
Padova cautioned against “over-interpreting” the ruling. ”It is significant, but it has a very specific, and new,” he said.
With assistance from Jimmy H. Koo in Washington and Jabeen Bhatti in Berlin
To contact the reporter on this story: Rick Mitchell in Paris at firstname.lastname@example.org
The ECJ ruling is available at http://src.bna.com/juA.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)