On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a judgment determining that dynamic Internet protocol (IP) addresses may constitute “personal data” subject to protection under the EU’s Data Protection (Directive 95/46/EC) under certain circumstances. Pursuant to the Directive, EU member states are required to protect the natural persons’ right to privacy with respect to the processing of their “personal data.”
The CJEU took up the question of whether dynamic IP addresses constitute personal data after a German politician brought suit seeking to challenge the ability of German government websites to register and store dynamic IP addresses. The German government alleged that it needed to collect and store such IP addresses in order to prevent cyber attacks on its websites and to guarantee the “security and continued proper functioning” of the websites.
The CJEU’s judgment finds that it is possible to identify a natural person (a data subject) based on the dynamic IP address provided to that data subject by an online media services provider, if the IP address is combined with certain other data that is collected and stored by Internet service providers. Accordingly, the judgment finds that “a dynamic IP address registered by an online media services provider . . . constitutes personal data within the meaning of [the Directive]” when the provider “has the legal means which enable it to identify the data subject with additional data which the Internet service provider has about that person.”
The determination that a dynamic IP address may constitute personal data means that such IP addresses must be processed in accordance with the privacy requirements of the Directive. The ruling could have implications for companies that provide dynamic IP addresses to users of their websites.
The CJEU’s judgment also finds that a particular provision of the German law on Telemedia related to when an online media services provider may collect and use personal data without the subject’s consent is overly restrictive, and in conflict with, Article 7(f) of the Data Protection Directive. Therefore, the CJEU determined, the provision of the German law is precluded by the Directive.
The CJEU’s full decision is available here.