Dynamic IP addresses as personal data

In a decision from October 19, 2016, the European Court of Justice (“ECJ”) ruled to what extent a dynamic IP-address can be considered as “personal data”.

The underlying facts are related to a claim against the Federal Republic of Germany for storing IP addresses of internet users consulting the websites run by the German Federal institutions.

An Internet Protocol address (“IP address”) is a sequence of numbers allocated to each device (computer, tablet, smartphone). It is communicated to the server on which a website is hosted whenever this page is consulted. “Dynamic” IP addresses are replaced when subsequent connections are made. This is why IP addresses do not allow to identify a person without combining them with additional information that is exclusively held by Internet service providers (“ISP”).

In 2011, the ECJ already decided that when it comes to collection and identification of IP addresses carried out by ISPs, IP addresses are to be considered as protected personal data because they allow users to be precisely identified.

However, following the wording of Article 2(a) of Directive 95/46, a person can also be “indirectly” identifiable. This means that information enabling the identification must not necessarily be in the hands of one single person. What is important is that its combination constitutes a means likely reasonably to be used to identify the data subject.

The ECJ considers that this condition is met in the case at stake because the German law allows in specific circumstances, in particular cyberattacks, to contact the competent authority, so that the latter can take the steps necessary to obtain information from the internet service provider and thus identify the internet user.

We can thus conclude that the question whether the registration of dynamic IP addresses is to be considered personal data requires an examination of the specific circumstances. It will be the case if there are legal means which enable to identify the data subject with additional data from the internet service provider.

Storing IP addresses, especially as a means of protection against cyber criminality, is a common practice. Whoever is responsible for storing IP addresses thus has to treat them as private data. This means that they have to be protected accordingly and that privacy protection laws have to be respected.

If you wish to have more information on this topic, please contact M. Guillaume RUE (guillaume.rue@cairnlegal.be).

Best regards,

The Cairn Legal team.