In a time of exponential growth of available data and the use of such data, the million-dollar question for data protection lawyers is: “does the data qualify as personal data?” If it doesn’t, companies have relative freedom to enjoy the benefits of the set of data. If the data does qualify as personal data however, one enters the realm of data protection legislation, which contains substantial restrictions and obligations on the collection and use of such data. Under the current Privacy Directive 95/46/EC, personal data is defined as “any information relating to an identified or identifiable natural person”. The above question often arises in relation to the latter alternative - whether or not a natural person is “identifiable” through the respective data.
The answer to one of two prejudicial questions asked to the European Court of Justice ("ECJ") by the German Supreme Court, the Bundesgerichtshof (“BGH”), may provide more guidance on what data can be regarded as personal data and their relation to what can be considered as information relating to an identifiable individual. In his recent opinion the Advocate Generale, Mr. Sánchez-Campos Bordona, advised the ECJ to consider dynamic IP addresses held by websites to qualify as personal data insofar internet providers are able to relate the addresses to the subscribers.
The ECJ's final ruling in this case is expected in a few months, in which the ECJ may adopt, dismiss or deviate from the AG's opinion as it deems fit. Companies are advised to keep a close watch on the outcome of this case (which will be covered in our newsletters), as it may have an impact on whether or not certain data sets qualify as personal data. This holds true for IP addresses in particular, but may also extend to the general concept of personal data and related anonymisation and pseudonymisation techniques.
A concerned member of parliament for the German Piratenpartei, Mr. Patrick Breyer, opposed to the collection of IP addresses (both dynamic and static addresses) by a number of websites run by German federal agencies. The German government, on behalf of the agencies, argued that it needs these IP addresses, among other data (including date and time of visit, search terms and files downloaded), in order to prevent internet attacks and enable prosecution of those who violate the law. The government further argued that the data logs (including the IP addresses) do not qualify as personal data, since the information does not allow identification of natural persons. According to the German government, the reason for this is that the information that may allow for such identification, is not with the federal agencies, but with the internet providers that provide internet-connectivity to the visitors of the website know which IP addresses belong to which subscribers.
Internet-devices such as phones, tablets and modems/routers get an (external) IP address assigned by the internet provider. This IP address is then used to connect to websites, apps and other internet services. Such an IP address can be “static”, meaning that a device always gets the same address assigned, or “dynamic”, which is the case if a device gets a different IP address per internet session.
Most internet providers, either by law (due to data retention obligations) or for other purposes, have a record of the IP addresses assigned to each individual subscriber. This means that the relevant internet provider can often (unless it concerns a business subscription) relate an IP address to a natural person (the subscriber), thereby making the IP address personal data. This was already confirmed in the ECJ’s Scarlet/Sabam case, in which Bird & Bird acted for Scarlet.
The AG qualifies the interpretation of the German government as the “relative approach” on what is considered as “identifiable information”. The relative approach, in a nutshell, only considers data “identifiable” when the identity of a natural person can be determined by “reasonable means” that are directly available to the party holding such data (the respective federal agencies). Typically, this approach would imply that for data to be personal data, the further information that allows for identification is held by the relevant party that seeks identification of individuals (the federal agencies) or is at arm's length and easily accessible. The mere fact that the information held by a third party (the relevant internet providers) allows for identification of the natural persons related to the IP addresses is not sufficient according to the German government, especially since these internet providers are not allowed to provide such information without a proper legal ground to do so.
The AG identifies the opposite doctrine, advocated by Mr. Breyer, as the “absolute approach”. Under this doctrine, data that can be combined with any information that in theory (an abstract risk) can be used for identification, must be regarded as personal data. This means that data is considered personal data, insofar any information exists somewhere (including information held by a random, unknown third party) that would allow for identification. Breyer argues that, albeit such a possibility for identification may sometimes be very small, there is an inherent abstract risk for identification of such natural persons that deserve protection under the Privacy Directive.
In its opinion, the AG concluded that dynamic IP addresses qualify as personal data for the federal agencies insofar the additional information held by the internet provider allows for identification of the visitor. The AG came to this conclusion under explicit reference to recital 26 of the Privacy Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person”. Though the AG acknowledged that the internet provider would not in all instances provide such information (for example due to legal restrictions), the internet providers do qualify as “means likely to be used”, and specifically by the federal agencies. The AG continues to make the point that, should a federal agency wish to identify an individual (for example to claim damages after misuse of a website) via an IP address, it would “likely reasonably” revert to an internet provider to request for the identifying information belonging to the IP address.
With the above, the AG discards the absolute approach as too broad: the possibility that there could be information (somewhere, anywhere) that allows for identification of individuals can never be excluded (especially in the era of big data, as highlighted in the opinion). All the same, the AG also does away with the strict interpretation that data only qualifies as personal data if the same entity also holds the information that allows for identification or has such information readily available. The AG aims for a solution somewhere in the middle: the scope of such information that could identify a natural person is limited to the means that are “likely reasonably to be used” by a specific party (here: the federal agencies). This would exclude any hypothetical, unknown or inaccessible ways of obtaining information (also considering factors such as available budget, manpower and legal restrictions), but does include using third parties that may hold information insofar these parties are “likely reasonable to be used” by a specific party should such party wish to identify a natural person in a data set.
The AG’s opinion has a mere advisory character in the ECJ’s process to come to a ruling. Whether or not the ECJ will ultimately adopt, dismiss or otherwise deviate from the AG’s opinion remains to be seen, though it must be noted that this has been the case in many of the ECJ’s rulings on the Privacy Directive (including the cases Google Spain and Schrems/Facebook). Whatever the outcome may be, any clarity on the definition of personal data must be welcomed by all.
Dec 06 2023