On Wednesday October 19, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Case C-582/14, Patrick Breyer v Germany. 

The CJEU held that a “dynamic” IP address constitutes personal data (agreeing with the Opinion of the Advocate General from May this year).  Dynamic IP addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet service or access providers (“ISPs”) have data that, in combination with the IP address, can identify the users in question.

The CJEU concluded that domestic law — in this case, German law — could not adopt a more restrictive interpretation of the “legitimate interests” legal basis for processing than is set out under the EU Data Protection Directive.  In that vein, the continued processing of personal data, without the user’s consent, may be justified as falling within a legitimate interest — e.g., ensuring the continued security or functioning of those websites including to protect against cyberattacks.
Continue Reading CJEU Confirms Dynamic IP Addresses To Be Personal Data

On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice).  The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings.  See here for the German language version; an English version is awaited.

The AG essentially considered that dynamic ‘IP’ addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet access providers have data which, in connection with the IP address, can identify the users in question.

The AG went on to consider that the collection and use of IP address data, for the purpose of ensuring the functioning of the website, might be justified on the basis of the “balancing of legitimate interests” test under the EU Data Protection Directive 95/46/ EC (the “Directive”), notwithstanding more restrictive national rules in Germany.

If followed by the Court of Justice, the Opinion will have broad implications for EU data protection law, even the forthcoming General Data Protection Regulation (the “GDPR”).  In particular, the Opinion will be relevant for any industries that handle de-identified personal data, and re-confirms the limits that national legislators need to respect when deviating from EU-level data protection legislation.

Continue Reading EU Advocate General Considers Dynamic IP Addresses To Be Personal Data