Damian Clifford and Jessica Schroers, legal researchers at KU Leuven, look at whether dynamic IP addresses fall within the scope of European Data Protection legislation given the identifiability of users based on the processing of IP addresses. In simple terms, IP addresses are unique sets of numbers that identify each computer using the Internet Protocol to communicate over a network. However, IP addresses can be either static or dynamic. The latter refers to situations in which a new address is assigned to each computer every time it connects to the internet. In contrast, static IP addresses remain attached to the same computer.
On 28 October 2014 the German Federal Court (Bundesgerichtshof) referred a question on the status of dynamic IP addresses to the Court of Justice of the European Union (CJEU). Specifically, the referring court is seeking to clarify whether a dynamic IP address constitutes personal data if the IP address itself is stored by an Internet service provider (ISP) while the information required to identify the user based on this IP address is held by a third party. The referral came as a result of an appeal against a decision taken by the Landgericht Berlin (a regional court) related to the question of whether the retention of IP addresses on official German government websites longer than technically necessary, and without user consent, amounted to an infringement of the German law.
The Landgericht held that an IP address in itself was not personal data as it does not relate to an identifiable person, although it could be considered personal data with the knowledge of additional identifying information. Hence, it should be considered whether IP addresses are personal data if they are registered without a timestamp, as no timestamp makes it impossible to request the required identifying information from the third party access provider, who would be unable to correctly locate the connected information. In general, the Landgericht concluded that identifiability should not only be theoretical but should also be a practical possibility. This occurs only when the necessary effort is not disproportionate to the benefit the processor might gain from identifying the user.
Applying this to the case in question, as the German government would only have access to the identifying information in situations involving an intellectual property infringement or criminal case, the IP addresses were not considered as personal data. Therefore, if the user does not provide identifying information on the website, IP addresses were not considered personal data by the court. Both parties to the dispute were dissatisfied with this conclusion resulting in the current case and subsequent referral.
It is clear that the question submitted to the CJEU is significant for all Member States, as it will hopefully provide clarity vis-à-vis the personal data status of IP addresses, and it is important to note some of the diverse opinions that have been expressed on the status of IP addresses at a national level.
Member State opinion
Currently, opinions on this issue are extremely divided in Member States and even amongst the national level legal communities. For example, in Ireland this disparity is reflected in Court decisions: in EMI & Ors v Eircom Ltd IEHC 108, the Irish High Court decided that IP addresses do not amount to personal data under the terms of the Irish implementation of the Data Protection Directive. This case related to copyright infringement and illegal downloading and reflects the confusion experienced in other jurisdictions, such as France. The French Courts have presented a divided picture with contrasting opinions at various levels; however, the French Constitutional Court has held that IP addresses do amount to personal data in their judgement relating to the constitutionality of the Hadopi law (Décision n° 2009-580 DC du 10 juin 2009). The Court concluded that the collection of data (in this case IP addresses) allowing for the identification of a person did amount to the processing of personal data.
In Germany there appears to be somewhat of a general consensus that IP addresses in the hands of access providers are to be considered as personal data. However, as the Landgericht Berlin assessment in the case at hand illustrates, the question as to whether IP addresses are personal data without the additional access provider information is still undecided. On the one hand, certain commentators consider that as is it technically simple to link IP addresses via the access provider to identifying information, this automatically renders it personal data (‘absolute understanding’). In contrast, other commentators are of the opinion that this classification depends on the additional information accessible in practice to the processing party and their technical and legal capacity to obtain this additional information (‘relative understanding’). The access to the information of service providers is restricted by law and these providers normally only keep information on dynamic IP addresses for a maximum of 7 days. Accordingly, some commentators do not consider dynamic IP addresses as personal data.
Similar to the national experience, the CJEU has previously ruled indirectly on this issue in the context of the enforcement of Intellectual Property rights. In Scarlet v Sabam (Case C-70/10, November 24, 2011) it was found that as users could be directly identified, IP addresses were classified as personal data. However, to distinguish the discussion thus far, it must be understood that in the decided cases referred to above the personal data status of IP addresses has been a secondary issue and the various national Courts have instead been focussed on copyright infringement and the protection of intellectual property rights. As such the Courts have yet to rule upon the status of dynamic IP addresses. In contrast, in the case at hand, the status of IP addresses is the key concern of the Court. Accordingly, this presents the Court of Justice with a unique opportunity to provide clarity on this issue.
What does the future hold?
It will be interesting to see how the CJEU will decide this matter and whether it will use the opportunity to bring clarity to this long running discussion. The Court has different options, it can decide to assess the case narrowly on its own merits or it can provide a broader view on the status of IP addresses in general. In the assessment of how the Court will examine this issue, we must consider the opinion of the Article 29 Working Party as it may prove to be persuasive and thus indicative of the future outlook.
The Working Party has clearly stated on a number of occasions that IP addresses constitute personal data under the terms of the Directive where they can be traced to natural persons with the cooperation of the internet provider (for example see the Article 29 Working Party Opinion on Search Engines). Due to the emergence of increasingly powerful processing mechanisms, the identity of users can frequently be ascertained through the analysis of large quantities of data linked to IP addresses and other seemingly anonymous data. This statement is not however absolute, and it must be acknowledged that not all IP addresses can be effectively linked to a user (for example, computers that are used by multiple users). Accordingly, this issue is not as clear cut as it may seem at first glance. However, in its opinion on the concept of personal data, the Working Party has stated that as static and dynamic IP addresses are not in practice easily distinguishable, all IP addresses should consequently be treated as personal data. This opinion in essence fails to truly categorise dynamic IP addresses as personal data, but instead recommends a de facto status based on the inability of services providers to distinguish between the types of IP addresses. This will be an issue that the Court will be required to consider carefully.
As such, this case has the potential to become a landmark decision and could be of clear significance to all who process IP addresses. If the Working Party opinion is followed this may fail to truly clarify this issue. However, to define dynamic addresses as personal data also presents concerns. Indeed, this may be indicative of a general move towards considering an increasingly broader scope of data as personal under the terms of the Data Protection edifice. As it is clear that in particular cases IP addresses cannot be linked to users without access to additional information, this generalised categorisation may result in the broadening of the scope of the Data Protection Framework. Nevertheless the Court may decide the opposite and find that dynamic IP addresses do not come within the terms of the definition of personal data. This case should be watched closely.
This article gives the views of the authors, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.