On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice). The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings. See here for the German language version; an English version is awaited.
The AG essentially considered that dynamic ‘IP’ addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet access providers have data which, in connection with the IP address, can identify the users in question.
The AG went on to consider that the collection and use of IP address data, for the purpose of ensuring the functioning of the website, might be justified on the basis of the “balancing of legitimate interests” test under the EU Data Protection Directive 95/46/ EC (the “Directive”), notwithstanding more restrictive national rules in Germany.
If followed by the Court of Justice, the Opinion will have broad implications for EU data protection law, even the forthcoming General Data Protection Regulation (the “GDPR”). In particular, the Opinion will be relevant for any industries that handle de-identified personal data, and re-confirms the limits that national legislators need to respect when deviating from EU-level data protection legislation.
In this case, the Court has been asked, by a preliminary ruling reference from Germany’s highest civil court (the “BGH”), to answer two questions regarding the interpretation of certain provisions of the EU Data Protection Directive 95/46/EC (the “Directive”), in effect:
- whether dynamic Internet Protocol (“IP”) addresses qualify as personal data; and
- whether such data may be processed by a website operator in order to defend itself against denial-of-service and similar attacks and to allow the criminal prosecution of hackers.
For the exact wording of the two questions that have been referred to the Court for a so-called preliminary ruling, see here. These questions arose in court proceedings in Germany that had been initiated by Mr. Breyer against the German Federal Republic of Germany, essentially asking Germany to stop storing the IP address of his hosting provider for longer than during the time of his access/use of the Internet portals operated by Germany.
The AG’s Opinion
In addition to proposing an answer to the two questions, the AG also considered that the data processing by the Federal Republic of Germany is not exempt from the scope of application of the Directive, as in this case Germany acts like a private website operator and not in the exercise of public authority.
Dynamic IP addresses as personal data
“Personal data” is defined in Article 2(a) of the Directive as any information relating to an identified or identifiable natural person (a “data subject”). As regards the first referral question, the AG proposes the following interpretation: an IP address which an information society (“telemedium”) service provider (like an Internet portal or website operator) stores when its website is accessed constitutes personal data for that service provider if an internet access provider as a third party has additional data which, in connection with the dynamic IP address, enable the identification of the user.
When interpreting Article 2(a), the AG relied on Recital 26 of the Directive, which states that “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” In this context, he considered that additional data held by an internet access provider would amount to such means ‘likely reasonably’ to be used. The internet access provider would be one of the major Internet actors and has data which the information society service provider needs in order to identify the user. The internet access provider would thus naturally be the first person to reasonably consider in this context. By contrast, data held by hypothetical, unknown or unreachable third parties would not meet this test.
The purpose of ensuring the general operability of an Internet portal or website is a “legitimate interest” which may justify the processing of dynamic IP addresses
The second question which has been referred to the Court relates to a provision in the German Telemedia Act (TMG) (section 15). This only allows the collection and use of telemedia users’ usage data in limited circumstances, but not for the purpose of ensuring the general operability of the telemedia service.
In the AG’s view, the TMG must be interpreted in light of Article 7(f) of the Directive, which allows data processing if necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.
In a previous ruling in Joined Cases C‑468/10 and C‑469/10 ASNEF and FECEMD (see here), the Court had already held that EU Member States can establish guidelines in respect of the balancing of interests required under Article 7(f) of the Directive, but cannot exclude the possibility of processing certain categories of personal data by definitively prescribing, for those categories, the result of the balancing of the opposing rights and interests, without allowing a different result by virtue of the particular circumstances of an individual case.
The AG thought that section 15 TMG is narrower than Article 7(f) of the Directive and definitively prescribes the scope of the legitimate interest without allowing for a different result. Section 15 TMG must therefore be interpreted in such a way that the purpose of ensuring the general operability of the telemedium can in principle constitute a legitimate interest, which may justify the processing of dynamic IP addresses, provided this interest is not overridden by the interests of the data subject. The AG refrained from taking a view on whether this latter condition is met in the present case, as this would be for the referring German court to decide.
The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings. The forthcoming preliminary ruling will certainly be another significant ruling in a growing number of EU Court of Justice decisions clarifying fundamental questions concerning the interpretation of EU data protection law.