Data Protection Report - Norton Rose Fulbright

The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.

The EU Decision

As we have covered on this blog, in the EU Decision, Mr. Breyer claimed that the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may keep only for the purpose of facilitating access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber-attacks, such as denials of service.

The Court of Justice held that where third parties, such as internet service providers (“ISP”), have  subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The Court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The Court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.

The Canadian Perspective

The EU Decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (“OPC”) in Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address. Thus, in Canada, IP addresses may be treated as personal information in more situations than in the EU.

This conclusion is consistent with an earlier decision of the OPC in which it held that an organization’s advertising server could not attempt to access the NETBIOS of visitor’s computer without consent. A NETBIOS is, according to the OPC, “[a] computer’s common or “friendly” name related to its Internet protocol (IP) address.”

A word of caution, however, is appropriate. The OPC’s findings do not mean that consent to the collection of an IP address is always required. There may be a number of legitimate reasons for collecting this information, including those relating to security of the site. These reasons would not necessarily extend, however, to collection and use of IP addresses for advertising purposes without some form of consent.[1]

Our Take

Whether an IP address constitutes personal information impacts the use of the information for behavioural advertising and other purposes. Canada and the EU are grappling with the limits that should be placed on the use of IP addresses for targeted or behavioural advertising. Moreover, pursuant to a US Federal Communications Commission order announced last week, Internet Service Providers will in the future have to obtain opt-in consent for the use of sensitive information such as precise geo-location, browsing and app history (any which may be used in conjunction with IP addresses), including for purposes of behavioural or targeted advertising. Companies operating in the EU, Canada, and the United States should monitor closely the evolving regulatory landscape respecting the use of IP addresses for purposes other than providing service, billing for that service, and maintaining the security and integrity of their networks.

[1] The OPC’s view on when that consent must be opt-in rather than opt-out is discussed in PIPEDA Report of Findings #2015-001.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.