October 28, 2020

Volume X, Number 302

Advertisement

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

October 26, 2020

Subscribe to Latest Legal News and Analysis

European Court of Justice Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

IP Addresses as Personal Data

The BGH’s first question to the ECJ was whether an IP address is considered personal data (i.e., any information relating to an identified or identifiable natural person) under the EU Data Protection Directive (Directive 95/46/EC). In answering the BGH’s first question, the ECJ confirmed that dynamic IP addresses are considered personal data within the meaning of the Directive in circumstances where the data collector (e.g., a website operator) is likely or reasonably able to obtain information from a third party that would allow it to identify the user. In this case, the Court observed that the German website operator could report potential cyberattacks to the police or public prosecution, who would use the IP address to obtain the identity of the attacker from the third party internet service provider, and then make it available to victims (i.e., the German website operator) who request to inspect the records.

Preventing Cyberattacks is a Legitimate Interest

The BGH’s second question was whether the German Telemedia Act, which permits the collection of usage data that identifies individuals exclusively for the purpose of rendering a service and billing, conflicts with the Directive’s rules regarding the collection and processing of personal data. The ECJ held that the German law was too restrictive and should also allow for lawful processing of personal data if necessary to achieve a “legitimate interest” of the data controller. This may include the logging of IP addresses in order to thwart and trace cyberattacks. However, the ECJ also made clear that this objective must still be balanced against the interests and fundamental rights of the visitors of the website.

Key Takeaways

While the ECJ’s decision confirms that IP addresses may be personally identifiable, this classification is not universal. The ECJ’s decision makes clear that classifying certain data elements as personal data may depend on the actual capabilities of the data collector. In particular, if the website operator cannot legally access third party information that could be used to identify an IP address owner, or if access to such third party information is “practically impossible”, then the IP address is not personal data from that operator’s perspective. This may also be true for other data elements or indirect identifiers that are not traditionally considered personal data, such as device IDs.

On the one hand, the ECJ’s expansive definition of personal data will require data collectors to take an extra step and consider whether they can use each particular data element, in combination with other data to which they may have access, to indirectly identify an individual. On the other hand, the definition depends on each entity’s access to additional information. This means that data controllers might be able to employ pseudonymisation to escape the strict requirements of European data protection laws altogether, and particularly when engaging data processors in third countries such as the US. If data controllers replace all identifying data with a label or number that is arbitrary to the processor, then that data will not be personal data from the processor’s perspective. The controllers themselves could nevertheless retain their ability to identify individuals and relate the results of the processing.

It still remains to be seen how the BGH and other national courts will balance the interests of the website owners and their visitors. While the ECJ acknowledged that combating potential and concrete cyberattacks is a “legitimate interest” of a website operator, the national courts (or the ECJ under the forthcoming General Data Protection Regulation) may later draw a line that will prevent operators from excessive logging and from keeping the logs for longer than necessary. Furthermore, the Directive does not allow using the so-collected data for other purposes, and the decision should therefore not be considered a carte blanche.

© 2020 McDermott Will & EmeryNational Law Review, Volume VI, Number 306
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Dr. Claus Färber, McDermott Will Emery, telecommunications industry lawyer, Intellectual Property Attorney
Associate

Claus Färber focuses his practice on all legal aspects related to the telecommunications, media and technology industries. Claus advises on cooperation agreements, outsourcing contracts and similar projects that often break new grounds in the industry from a technological and legal view. Such projects regularly touch multiple sectors of the law, including contract, telecommunications, and intellectual property, and also require an understanding of the technological background.

Claus also counsels media and technology companies on consumer...

49 89 12712 153
Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm
Associate

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal for the Former Yugoslavia.  She also served as a research assistant for two professors and co-authored an article that was published in a nationally ranked law review.

Amy earned her B.A. in political science and a minor in Spanish language from Duke University in 2007.

Amy is admitted to practice in Massachusetts.

617-535-3948
Advertisement
Advertisement