Dynamic IP addresses can be personal data says Advocate-General of the CJEU

Summary

On request for a preliminary ruling from the German Supreme Court, the Advocate-General of the Court of Justice of the European Union (CJEU) concluded that dynamic IP addresses can be personal data within the meaning of the EU Data Protection Directive.

Background

German federal institutions exploit websites which contain general information for the public. All access to these sites and information on the pages visited, the name of the requested files and also the dynamic IP address (temporary identification number) of the computer is kept in logbooks beyond the period of use of the specific site. The aim is to repel cyber-attacks and enable later identification of potential attackers.  It was undisputed that the immediate identification of the user by the German institutions was only possible in combination with additional information held by the internet provider.

The main question in this case was whether in these circumstances the dynamic IP addresses stored by the German institutions constituted personal data within the meaning of the EU Data Protection Directive.

What is the conclusion of the Advocate-general?

In 2011, the Court already made it clear in its case Scarlet (C‑70/10) that IP addresses are personal data when stored by internet providers. The new point of law here is whether the dynamic IP addresses are personal data even when the recipient (the German institutions) depends on a specific third party (the internet provider) for additional information to further identify the user.

The Advocate-General considered that an individual that can be identified with the aid of a specific third party is “identifiable”.  The Advocate-general emphasises that the “reasonable” possibility that additional data would be transmitted by the internet provider, changes the dynamic IP address into personal data.

Why is it important?

The case raises the issue of consent of processing and the grounds that justify the processing of personal data.  Once again it is emphasized that “personal data” should not be interpreted restrictively. The opinion of the Advocate-general does not come as a surprise but is in line with the recent “privacy friendly” decisions of the Court.

Nonetheless, the scope of the case is limited and many questions remain unanswered.  The Advocate-General points out himself that this case does not answer the following questions: (a) are static IP addresses personal data within the meaning of the EU Data Protection Directive; (b) are dynamic IP addresses in all circumstances personal data; and (c) should dynamic IP addresses necessarily be considered personal data as from the moment when an arbitrary third person is capable of identifying the internet users?

Member States’ margin of discretion

Aside from the fact that the Advocate-General considers dynamic IP addresses as personal data if a third party has additional data which will make it possible to re-identify the individual, there is another crucial point mentioned in the opinion dealing with the margin of discretion which Member States have pursuant to Article 5 of the EU Data Protection Directive. Referring to the implications of the CJEU cases ASNEF (C‑468/10) and FECEMD (C‑469/10) the Attorney-General holds the opinion that Member States cannot add new principles relating to the lawfulness of the processing of personal data set out in Article 7 of the EU Data Protection Directive or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in Article 7.

Unlike the disputed provisions in the cases ASNEF (C‑468/10) und FECEMD (C‑469/10), the controversial provision in the current case – sec. 15 German Telemedia Act (“Telemediengesetz – TMG”) – does not directly impose any additional requirements, rather it just stipulates that the collection and use of telemedia users’ usage data (“Nutzungsdaten”) is only allowed in limited circumstances, hence section 15 TMG is narrower than Article 7(f) of the EU Data Protection Directive.  However, the Advocate-General holds the opinion that sec. 15 TMG restricts and alters the scope of Article 7(f) in a categorical and absolute manner and, therefore, has to be interpreted in light of Article 7(f) of the EU Data Protection Directive. According to his opinion, national law must provide for a balance of interest in each individual case in such context, even if the national legislator has performed a comprehensive consideration and transposed the outcome in a refined national legislation.

Should the CJEU follow the opinion of the Advocate-General in this regard, this might have a crucial impact not only on the controversial German provision in the current case, but on national data protection law in general.

What’s next?

The Court will now have to come to a verdict. Although the opinions of the Advocates-General are advisory and not binding for the Court, they are nonetheless followed in the majority of cases.