IP Addresses as Personal Data - Website Providers To Come Under Even More Scrutiny With EU Data Privacy Law

May.17.2016

Website providers that collect dynamic Internet Protocol addresses ("IP address") from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.

Last week, Europe's Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, "ECJ") released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.

Online activity of Internet users—such as analytics information tied to IP addresses—is often collected and used by website providers for purposes such as marketing and website optimization. Such information is often collected and retained for a longer period of time without acquiring the individual's consent even though consent may be required. This opinion is of paramount interest for any such website provider.

Under EU privacy law it has long been debated whether a dynamic IP address qualifies as "personal data" even if it alone does not enable the recipient to identify the user. EU Directive 95/46/EC states in its Recital 26: “(26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;…”;

So far, it is highly disputed whether information in the hands of a third party such an internet access providers is “likely reasonably to be used by” for example, a website provider.

For example, the German Data Protection Authorities classify IP addresses as personal data in general while many legal scholars and also the German courts tend to take a more fact specific view and regard IP addresses as personal data only if they believe that the entity collecting the IP address also has reasonably easy access to additional information that allows the identification of the user. Also on the EU level, most often, IP addresses are considered personal data and the upcoming General Data Privacy Regulation confirms this view.

However, even before the General Data Privacy Regulation comes into force, the debate may soon come to an end. The Advocate General's opinion was delivered in a case that was referred to the ECJ by German Federal Supreme Court (Bundesgerichtshof, "BGH"). The German politician Patrick Breyer lodged a case against the German government requesting it to stop storing dynamic IP addresses from visitors to German government websites for longer than was necessary to deliver the website content. The government stores IP addresses in log-files for a longer period in order to enable the identification and prosecution of attackers and hackers. Breyer argues that the IP addresses could be linked back to him and would thus constitute personal data. The Advocate General’s opinion agrees with this argument, and while not binding on the ECJ, is likely to be highly persuasive to the ECJ.

In a ruling rendered on 17 December 2014, the BGH referred the following questions to the ECJ:

Whether, under Article 2a of the EU Data Protection Directive 95/46/EC, an IP address is personal data when the IP address is stored by a website provider and a third party (e.g., an internet access provider) possesses sufficient additional data to identify the user.
Whether Art. 7f of the EU Data Protection Directive is contrary to a provision in a national member state’s law according to which a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the national member state’s law states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.

For the first question, according to the Advocate General, IP addresses that a website provider stores when its website is accessed by website visitor constitute personal data under EU data protection law, even if additional information necessary to identify the data subject is only in the possession of the internet access provider. Contrary to the view of the Federal Republic of Germany, which argued that such third party knowledge was not relevant since the internet access provider would only be permitted to disclose such information in very limited situation, the Advocate General argued that possession by the access provider was relevant and decisive. The Advocate General argued that even such limited situation of data disclosure by the website provider would be sufficient to assume that such knowledge of the website provider would be “means likely reasonably to be used by third parties” (see no 26 of the recitals of EC Directive 95/46/EC).

This is a fairly broad view of third party knowledge, as a website operator has only very limited means to request such information from an internet access provider.

For the second question, the Advocate General stated that EU Member States cannot completely forbid the retention of IP addresses where they are retained for the legitimate interest of a website operator to enable the use of its website.

If the ECJ's final decision follows the Advocate General’s opinion, it would mean that:

Any recording, storage or use of dynamic IP addresses by website providers beyond the period of use for a clearly defined purpose would require consent of the Internet user, unless the website service provider can demonstrate that the retention of IP addresses is necessary to ensure proper functioning of such website.
Website providers that have before relied on the assumption that dynamic IP addresses are not personal data and as such not covered by EU data privacy law would have to rethink and re-evaluate the processing of IP addresses and the ways to achieve their data privacy compliant processing.

For more information about these developments, please contact the authors of this blog or your Orrick relationship partner.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Related Areas

Markets

Germany