AG’s opinion on dynamic IP addresses may shed a broader light on the definition of “personal data”

The answer to one of two prejudicial questions asked to the European Court of Justice ("ECJ") by the German Supreme Court, the Bundesgerichtshof (“BGH”), may provide more guidance on what data can be regarded as personal data and their relation to what can be considered as information relating to an identifiable individual. In his recent opinion the Advocate Generale, Mr. Sánchez-Campos Bordona, advised the ECJ to consider dynamic IP addresses held by websites to qualify as personal data insofar internet providers are able to relate the addresses to the subscribers.

The ECJ's final ruling in this case is expected in a few months, in which the ECJ may adopt, dismiss or deviate from the AG's opinion as it deems fit. Companies are advised to keep a close watch on the outcome of this case (which will be covered in our newsletters), as it may have an impact on whether or not certain data sets qualify as personal data. This holds true for IP addresses in particular, but may also extend to the general concept of personal data and related anonymisation and pseudonymisation techniques.

Background

A concerned member of parliament for the German Piratenpartei, Mr. Patrick Breyer, opposed to the collection of IP addresses (both dynamic and static addresses) by a number of websites run by German federal agencies. The German government, on behalf of the agencies, argued that it needs these IP addresses, among other data (including date and time of visit, search terms and files downloaded), in order to prevent internet attacks and enable prosecution of those who violate the law. The government further argued that the data logs (including the IP addresses) do not qualify as personal data, since the information does not allow identification of natural persons. According to the German government, the reason for this is that the information that may allow for such identification, is not with the federal agencies, but with the internet providers that provide internet-connectivity to the visitors of the website know which IP addresses belong to which subscribers.

Relative approach

The AG qualifies the interpretation of the German government as the “relative approach” on what is considered as “identifiable information”. The relative approach, in a nutshell, only considers data “identifiable” when the identity of a natural person can be determined by “reasonable means” that are directly available to the party holding such data (the respective federal agencies). Typically, this approach would imply that for data to be personal data, the further information that allows for identification is held by the relevant party that seeks identification of individuals (the federal agencies) or is at arm's length and easily accessible. The mere fact that the information held by a third party (the relevant internet providers) allows for identification of the natural persons related to the IP addresses is not sufficient according to the German government, especially since these internet providers are not allowed to provide such information without a proper legal ground to do so.

Absolute approach

The AG identifies the opposite doctrine, advocated by Mr. Breyer, as the “absolute approach”. Under this doctrine, data that can be combined with any information that in theory (an abstract risk) can be used for identification, must be regarded as personal data. This means that data is considered personal data, insofar any information exists somewhere (including information held by a random, unknown third party) that would allow for identification. Breyer argues that, albeit such a possibility for identification may sometimes be very small, there is an inherent abstract risk for identification of such natural persons that deserve protection under the Privacy Directive.

The AG’s opinion

In its opinion, the AG concluded that dynamic IP addresses qualify as personal data for the federal agencies insofar the additional information held by the internet provider allows for identification of the visitor. The AG came to this conclusion under explicit reference to recital 26 of the Privacy Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person”. Though the AG acknowledged that the internet provider would not in all instances provide such information (for example due to legal restrictions), the internet providers do qualify as “means likely to be used”, and specifically by the federal agencies. The AG continues to make the point that, should a federal agency wish to identify an individual (for example to claim damages after misuse of a website) via an IP address, it would “likely reasonably” revert to an internet provider to request for the identifying information belonging to the IP address.

With the above, the AG discards the absolute approach as too broad: the possibility that there could be information (somewhere, anywhere) that allows for identification of individuals can never be excluded (especially in the era of big data, as highlighted in the opinion). All the same, the AG also does away with the strict interpretation that data only qualifies as personal data if the same entity also holds the information that allows for identification or has such information readily available. The AG aims for a solution somewhere in the middle: the scope of such information that could identify a natural person is limited to the means that are “likely reasonably to be used” by a specific party (here: the federal agencies). This would exclude any hypothetical, unknown or inaccessible ways of obtaining information (also considering factors such as available budget, manpower and legal restrictions), but does include using third parties that may hold information insofar these parties are “likely reasonable to be used” by a specific party should such party wish to identify a natural person in a data set.

The AG’s opinion has a mere advisory character in the ECJ’s process to come to a ruling. Whether or not the ECJ will ultimately adopt, dismiss or otherwise deviate from the AG’s opinion remains to be seen, though it must be noted that this has been the case in many of the ECJ’s rulings on the Privacy Directive (including the cases Google Spain and Schrems/Facebook). Whatever the outcome may be, any clarity on the definition of personal data must be welcomed by all.