On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany.
The CJEU held that a “dynamic” IP address constitutes personal data (agreeing with the Opinion of the Advocate General from May this year). Dynamic IP addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet service or access providers (“ISPs”) have data that, in combination with the IP address, can identify the users in question.
The CJEU concluded that domestic law — in this case, German law — could not adopt a more restrictive interpretation of the “legitimate interests” legal basis for processing than is set out under the EU Data Protection Directive. In that vein, the continued processing of personal data, without the user’s consent, may be justified as falling within a legitimate interest — e.g., ensuring the continued security or functioning of those websites including to protect against cyberattacks.
Continue Reading CJEU Confirms Dynamic IP Addresses To Be Personal Data