IP addresses are personal data
On 19 October 2016, the Court of Justice of the EU presented its opinion in the highly anticipated judgement of the Breyer case. In Breyer, a preliminary question was referred to the Court to seek its opinion on whether dynamic IP addresses can be considered as personal data. Mr. Breyer, who is a member of the “Pirate Party” did not agree with the German Federal Republic storing the IP addresses of its website’s visitors in a log file. As such, these log files make a distinction between static and dynamic addresses. While it is a given fact that the former can identify a person, the dynamic IP addresses have been at the heart of several discussions.
Dynamic IP addresses have as characteristic that they differ every single time a new connection to the internet is made, which makes it difficult to use them as an identifier. The judgement of the Court clarifies once and for all that dynamic IP addresses are also considered to be personal data if they can be identified by ‘legal means’ (additional data) of third parties (ISP). This aligns with the opinion of the Advocate General in the case earlier reported on in Privacy Flash Issue 13, which also stated that such IP addresses are personal data and even named the same conditions thereto. Furthermore, it also confirms the opinion presented in a Working Document of the Article 29 Working Party published in 2009, where it explained why it considered the logged date, time, duration and dynamic IP addresses as personal data.
The judgement also dealt with a second question raised by the referring Court, this being the question whether a Member State was precluded from introducing a legislation that allowed the use of personal data without any consent for the purposes of facilitating and charging for access to online media services after terminating the access. In this respect, the CJEU stated that it was indeed forbidden and that a general operability should not be considered a sufficient justification to do so.