Data Protection Report - Norton Rose Fulbright

On May 12, 2016, the Court of Justice of the European Union’s (CJEU) Advocate General, Campos Sánchez-Bordona, published his opinion on a question referred to the CJEU for a preliminary ruling. The opinion argues that dynamic IP addresses should be considered to be personal data under European law. Moreover, the opinion asserts that Member States’ laws that limit the ability to store such personal data beyond the restrictions permitted in Directive 95/46EC (the Data Protection Directive) are non-compliant with European law. Although the CJEU’s final decision does not have to follow this opinion, the advocate general’s arguments are followed more often than not.

The referral arises from an action by a German Pirate Party politician, Patrick Breyer, against the German government relating to its storage of IP addresses of users visiting German government websites. Breyer asserts that such storage allows the creation of user profiles and is impermissible pursuant to Section 15 German Telemedia Act (TMA), which restricts Telemedia service providers’ collection and use of service users’ personal data (without further consent) to that which is “necessary to enable and invoice the use of telemedia (data on usage).”

The German government argued that dynamic IP addresses (as opposed to static IP addresses) are not personal data and, accordingly, Section 15 of the German TMA does not apply.

Opinion by the Advocate General

Through a reference to Recital 26 of the Data Protection Directive, the Advocate General argues that dynamic IP addresses are covered by the Data Protection Directive’s definition of personal data (in Art. 2 lit. a), so long as a third party internet service provider has the necessary knowledge to help an website operator identify an user.

Recital 26 states that in determining whether a person is identifiable, “account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the said person.” The Advocate General’s opinion is that a request to an internet service provider is a “means reasonably likely to be used.”

The second question related to whether Member States could impose more stringent restrictions on processing beyond those contained in the Data Protection Directive. In this regard the Advocate General makes reference to the Court’s decision in ASNEF and FECEMD, which held that Article 7 of the Data Protection Directive sets out an exhaustive and restrictive list of circumstances in which the processing of personal data can be regarded as being lawful based on the principle of ensuring an equivalent level of data protection in all Member States. Consequently, Member States cannot add new principles relating to the lawfulness of the processing of personal data to Article 7 of the Data Protection Directive or impose additional requirements that have the effect of amending the scope of the six principles provided for in Article 7.

Our Take

The Advocate General’s opinion has two interesting aspects:

  • Dynamic IP addresses are deemed to be personal data. This is consistent with the view taken by some Member States and would appear to be consistent with Recital 30 of the General Data Protection Regulation (GDPR), which states explicitly that online identifiers, including IP addresses, may be regarded as personal data when combined with other information. The days of arguing otherwise appear limited.
  • The position that Member State law cannot restrict processing that is quite clearly permitted under the Data Protection Directive is of more comfort to data controllers and will be a helpful marker for Member States not to go further as they amend their legislation in light of the GDPR. The principle should ensure more harmonization and consistency across the EU if the CJEU follows the Advocate General’s conclusion in its final judgment.