The Advocate General ("AG") thinks so, at least in relation to the recent case it considered regarding the storing by website providers of IP addresses in connection with access to their websites. This adds further food for thought to previous case law from the CJEU and opinions from the Article 29 Working Party on whether static and/or dynamic IP addresses should be considered to be personal data.
Who holds what?
In the AG's opinion (Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016) the AG stated that if:
- an internet service provider ("ISP") has a record of the temporary "dynamic IP address" assigned to a particular user's device (potentially identifiable data); and
- a website provider has a record of the web pages accessed by that dynamic IP address (but no other data that would allow identification of the individual);
this information combined could constitute personal data in the hands of the website provider. This is irrespective of the fact that in reality the chance of obtaining that extra identifying information from the ISP may be slim (as the ISP has to meet its own legal obligations before it just hands over the data), but is based on there being a "reasonable chance" of identification (in line with the Directive, see below).
How does the Opinion tie in with current law?
Directive 95/46/EC says that personal data is "any information relating to an identified or identifiable natural person" and that an "identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number…" The recitals make it clear that "all the means likely reasonably to be used either by the controller or by any other person to identify the said person" should be taken into account in order to determine whether a person is identifiable.
The AG clarifies that "any other person" does not strictly mean any other person, it means certain third parties, such as website providers, who might reasonably be approached by internet service providers ("ISPs") who wish to obtain additional information for clarification purposes.
In coming to a conclusion, the AG considered the position if a dynamic IP address was not considered to be personal data in the hands of a website provider. The AG's concern with this position was that the provider "could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user" – i.e. it is better to be over protective (by treating the data as personal) than under protective (which allows unlimited use of potentially identifiable data).
What other authority do we have on this?
The CJEU has considered this question previously, but the difference was that the CJEU was required to decide whether IP addresses that allowed users to be "precisely identified" by the ISP (rather than the website provider) could constitute personal data – the court found that they could.
In addition, the Article 29 Working Party has considered the issue where IP addresses are held by the ISP stating that "unless the [ISP] is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Therefore the scope for IP addresses (static or dynamic) to be considered personal data, in the Article 29 Working Party's eyes, is broad.
What does the GDPR say?
It's been made clear in the General Data Protection Regulation ("GDPR") that IP addresses should be considered as personal data as the text includes "online identifier", in the definition of "personal data". Recital 30 clarifies that "online identifier" includes IP addresses.
Why does this matter?
It will be for the CJEU to decide whether to follow AG's approach, but we can see that the EU regulators and authorities are recognising the change in the technological landscape and the ease at which controllers can now run big data analytics in order to compare data sets and ultimately obtain identifying data. Essentially, if there is a risk (even though slim) that individuals could be identified from IP addresses (static or dynamic, in the hands of the ISP or the website provider) the EU regulators opinion appears to be that this should be treated as personal data.
Businesses need to consider now how they deal with IP addresses, whether they treat them as personal data or not. The message is clear – the usual rules relating to personal data under current EU data protection law (and certainly under the GDPR) should be applied to IP addresses, e.g. controllers must inform users they hold this information, they must tell them why, they must allow them access to this data etc. If website providers can avoid holding IP addresses, or limit them in some way, for example by removing the final octet from the IP address and thereby removing the link to the user's device, this will help, certainly in relation to the security requirements under the current Directive and most importantly under the GDPR. In effect this decision could push the clock on GDPR preparedness, at least for this specific issue for certain ISPs, significantly ahead
Note that a business that takes the risk and fails to deal with IP addresses as personal data (particularly following the implementation of the GDPR) may be subject to enforcement action, which will become far more stringent under the GDPR.