Difficulty remains in determining whether or not IP addresses can constitute personal data. The Mason Hayes & Curran Technology team analysed a recent ruling to get some answers.
The foundational concept in EU data protection law is that of ‘personal data’, and yet its meaning is not entirely clear.
In the recent Breyer case, the German courts sought clarification from the EU’s highest court, the Court of Justice of the European Union (CJEU), on the status of dynamic IP addresses. Breyer – alleging that dynamic IP addresses constituted his personal data – challenged the collection, use and storage of IP access logs on German state-owned websites.
Last month, we analysed the Opinion of the advocate general, the independent adviser to the CJEU. The CJEU’s judgment provided us with additional guidance on what personal data is but unfortunately, the position still lacks clarity. We now look at the significance of the judgment.
What is personal data?
Determining whether information is ‘personal data’ or not is the first step towards applying data protection law. Only personal data is safeguarded by data protection law. In short, personal data is information which relates to an identified or identifiable living individual. It is the latter half of the definition – what is ‘identifiable’ – that causes headaches for many organisations.
For example, “John Murphy is a great customer” is clearly personal data as the statement identifies John Murphy. By contrast, “Customer 12345 is a great customer” does not specifically name John Murphy. However, for the business that sells to John, it might be clear who Customer 12345 is. The alias “Customer 12345” is what we might call an identifier or pseudonym. Customer 12345 may be identified as John Murphy, but only with the benefit of the customer list or other information connecting the number with the individual.
In other words, if information can be combined together to identify an individual, it may be deemed to be personal data. However, the question for the CJEU was to determine whether certain information may be personal data to Company A, which has all data, and not be personal data to Company B, which only has a subset of that data. Previously, the Irish High Court found that IP addresses are personal data in the hands of an internet service provider (ISP), but not in the hands of a record label.
Are dynamic IP addresses personal data?
This is a recurring question related to the status of IP addresses. An IP address is a string of identifying numbers, which allow the transmission of information online to a specific individual and device. Dynamic IP addresses – the subject of this case – change frequently and may be assigned to different devices over time. Therefore, certain organisations (like the ISPs, which assign the addresses) will know the identity of the device and the associated subscriber to which a dynamic IP address has been assigned at any given time. Others, like website providers, will only have the dynamic IP address and the dates and times of access.
In this context, the CJEU focused on the idea that information could indirectly identify an individual. Building on this, the CJEU confirmed that in order for information to be ‘personal data’, all of the information that would enable identification did not need to be in the hands of the one person. As a result, the question of whether a website provider could legally obtain the necessary information, without disproportionate effort in terms of time, cost and manpower, will inform whether it is ‘personal data’ in their hands.
Therefore, according to the CJEU, ‘personal data’ is relative. A specific, fact-based analysis is needed to assess the relevant information held by each relevant organisation. In order to assess whether an organisation stores or uses personal data, one should ask whether it has, or can obtain, the information to identify the individual in question without ‘disproportionate effort’.
Using IP address for legitimate interests
It’s worth briefly highlighting the second part of the CJEU’s judgment, which examined the scope of the ‘legitimate interests’ ground for processing data. Under data protection law, organisations must be able to show a legal basis to justify their use of personal data. Although there are a variety of options here, consent and the organisation’s legitimate interests tend to be the most frequently used.
The CJEU considered that an aspect of German law improperly restricted the scope of the ‘legitimate interests’ ground, and the ability of data controllers to rely on this ground. The CJEU came to the conclusion that it was defensible to use the logs of dynamic IPs in order to secure and protect websites from fraudulent activity and attacks.
Unfortunately the case does not establish a black and white answer for determining what is considered ‘personal data’. Certain information remains within somewhat of a grey area. However, we do have more clarity than in the past.
It is worth noting that the General Data Protection Regulation contains an expanded definition of personal data, which specifically includes online identifiers, like IP addresses. Nevertheless, the issue is not closed. It would not be surprising to see a future request for clarification from the CJEU on what constitutes a ‘disproportionate effort’ to combine data sets.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Contact a member of the MHC Technology team or visit www.mhc.ie for more information.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.