On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice). The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings. See here for the German language version; an English version is awaited.
The AG essentially considered that dynamic ‘IP’ addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet access providers have data which, in connection with the IP address, can identify the users in question.
The AG went on to consider that the collection and use of IP address data, for the purpose of ensuring the functioning of the website, might be justified on the basis of the “balancing of legitimate interests” test under the EU Data Protection Directive 95/46/ EC (the “Directive”), notwithstanding more restrictive national rules in Germany.
If followed by the Court of Justice, the Opinion will have broad implications for EU data protection law, even the forthcoming General Data Protection Regulation (the “GDPR”). In particular, the Opinion will be relevant for any industries that handle de-identified personal data, and re-confirms the limits that national legislators need to respect when deviating from EU-level data protection legislation.