Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany. Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law. As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information. Until the present, there has been widespread agreement that static IP addresses are personal data. In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data. While most authorities agree that a dynamic address in the hands of an Internet Service Provider (ISP) could be used to identify an individual – and thus constitutes personal data – there is little agreement about whether dynamic IP addresses in the hands of someone other than the ISP should be considered personal data.
Breyer addresses the question of whether dynamic IP addresses, held by someone other than an ISP, are personal data. The controller at issue was the German government – it stores the IP addresses of visitors to certain government websites (such as the BND, Germany’s NSA equivalent) so that it can prevent and detect cyberattacks.
1. Factual and Procedural Background
Mr. Breyer is a member of Germany’s “Pirate Party” (Piratenpartei), a civil-liberties-focused opposition political party. Upon learning that certain government websites were logging visitors’ IP addresses, Breyer sued the German government, claiming that by storing his IP address, the government was unlawfully processing personal data about him. Breyer argued IP addresses should be considered personal data, because if the government were to combine them with usage data from ISPs, the government could identify individuals.
The question was thus whether an IP address in the hands of a website operator constitutes personal data, and it was decided in different ways by the lower German courts. Ultimately, the case made its way to the German Supreme Federal Court (Bundesgerichtshof). During its proceedings, the German Supreme Court took a look at the two dominant theories regarding IP addresses that existed in the legal literature:
- One side to the debate takes the ‘absolute’ approach, i.e. an IP address is personal data if someone, somewhere in the world has enough additional information to link it to a particular individual (which, in most cases, the ISP has). This approach effectively makes all IP addresses per se personal data.
- The other side takes the ‘relative’ approach, which considers IP addresses personal data only if the controller who actually has the IP address in its possession could – using only the information it has and reasonable effort – link the IP address to an individual. This approach generally requires a controller-by-controller analysis.
Interestingly, the German Supreme Court reviewed German cases and found that they followed the relative approach. (It was German academic literature that tended to favor the absolute approach.) So the German court indicated it was leaning towards declaring the relative approach to be German law.
2. Referral to the ECJ
However, given the importance of the issue to EU law, the German court referred the issue to the ECJ. In ECJ proceedings, the Advocate General argued that IP addresses in the hands of the German government should be considered personal data because the government could legally—and thus reasonably and foreseeably—obtain data from ISPs that it could use to identify individuals.
3. The ECJ’s Decision
The ECJ phrased the question at issue as whether dynamic IP addresses in the hands of a website operator – and particularly the German government – are personal data. The ECJ began its analysis by reviewing basic principles of data protection law. EU data protection law considers information “personal data” as long as it permits a person to be identified “directly or indirectly.” The ECJ stated that the use of the word “indirectly” meant that “in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified.” Moreover, “it is not required that all the information enabling the identification of the data subject must be in the hands of one person.” Third parties – such as ISPs – can hold the data permitting individuals to be identified.
However, the ECJ did not state that in all cases, IP addresses in the hands of a website operator should be considered personal data. Instead, it required an evaluation of “whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.” The ECJ stated this would not be the case when “the identification of the data subject [is] prohibited by law,” i.e. if legal rules prohibit ISPs from transmitting subscriber data to website operators.
In the case of the German government as a website operator, however, the ECJ noted that no such statutory prohibition of information-sharing existed. “[I]n the event of cyberattacks legal channels exist so that the [German government] is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the [ISP] and to bring criminal proceedings.” Thus, the ECJ held that thanks to “the assistance of other persons,” the German government “has the means which may likely reasonably be used in order to identify the data subject . . . on the basis of the IP addresses stored.”
The ECJ closed by phrasing its holding broadly. It stated that dynamic IP addresses held by a website operator constitute personal data as long as the operator has “the legal means which enable it to identify the data subject with additional data which the [ISP] has about that person.” Thus, unless a statutory or other prohibition on ISP sharing of subscriber data exists, the ECJ’s holding creates a risk that IP addresses can be considered personal data.
4. The ECJ Loosens German Rules on Collection and Use of Internet User Data
As part of his suit, Breyer had also demanded the German government stop storing the IP addresses of visitors to German government websites. As the basis for this demand, Breyer cited § 15 of Germany’s Telemedia Act, which states that website operators may “collect and use the personal data of [online users] only in so far as is necessary to facilitate, and charge for, the particular use” of the website.
The ECJ compared the Telemedia Act’s restrictions on data use to the provision of Art. 7(f) of the Data Protection Directive (which will become Art. 6(f) of the General Data Protection Regulation). Article 7(f) of the Directive permits controllers to process data to pursue “legitimate interests” that are not outweighed by user privacy interests. The ECJ noted that the notion of “legitimate interests” is far broader than merely making online services available and charging for them. Thus, the ECJ found that § 15 of Germany’s Telemedia Law unduly restricted “the scope of the relevant legitimate interest[s]” that could justify processing of internet user data – and that as a result, it was “precluded” under EU data protection law. This part of the ECJ’s decision is likely of primary relevance to companies with German operations, but potentially eliminates a significant risk of being held liable for unlawful processing.
A copy of the ECJ’s Breyer decision can be downloaded here.