July 18, 2019

July 17, 2019

Subscribe to Latest Legal News and Analysis

July 16, 2019

Subscribe to Latest Legal News and Analysis

July 15, 2019

Subscribe to Latest Legal News and Analysis

IP Addresses Constitute Personal Data According to Court of Justice of European Union

In a decision dated 19 October 2016, the Court of Justice of the European Union (CJEU) has provided much needed clarification on a long-standing issue in EU data protection law.

A German politician brought an action concerning websites operated by the Federal Republic of Germany that stored personal data, including IP addresses, on logfiles for two weeks.  The question before the CJEU was – are IP addresses personal data?  According to Article 2(a) of EU Directive 95/46personal data” is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly from the data.

The CJEU ruled that dynamic IP addresses constitute personal data for an online media service provider (here the Federal Republic of Germany) that makes a website accessible.

A dynamic IP address means that the computer’s IP address is newly assigned each time the website is visited.  Unlike static IP addresses, it is not possible for dynamic IP addresses, using only files which are accessible to the public, to create an identifiable link between the user’s computer and the physical connection to the internet provider’s network . Hence, the data included in a dynamic IP address does not enable the online media service provider to identify the user.

However, according to the CJEU, a dynamic IP address will be personal data if the additional data necessary to identify the user of a website is stored by the user’s internet service provider. The website provider only needs to have the legal means which enables him to identify the user. Legal means are, for example cyber attacks and does not have to be applicable for the specific case.

This decision has significant practical implications for all website providers, because the storing of user information by internet service providers falls under data protection laws. Ultimately, the website provider needs the consent of the user to store the dynamic IP address. This will also apply after the General Data Protection Regulation (GDPR) comes into force in May 2018, because Article 2 of Directive 95/46 is incorporated in almost the same words in Article 4 (1) of the GDPR.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Annette Demmel, Information Technology Attorney, Squire Patton Boggs Law Firm
Partner

Dr. Annette Demmel is a partner in our Data Privacy & Cybersecurity Practice Group in Berlin. For 20 years, Annette has advised national and international businesses in privacy law, technology law, telecommunications law, intellectual property law, media law and competition law.

In particular, she leads the implementation of privacy compliance programs and centralized software systems, and provides advice on policy and regulatory issues arising in the electronic communications and internet sectors. Annette also advises clients on legal...

+49 30 72616 8226
Associate

Christina Schattauer is an associate in our Intellectual Property & Technology Practice Group based in Berlin. She specialises in trade mark, design and copyright law, media and unfair competition law. Furthermore, she advises national and international businesses in privacy, technology and telecommunications law.

Christina served her legal clerkship at the Higher Regional Court (Kammergericht) of Berlin with stations at a boutique IP law firm in Berlin and an IP law firm in Sydney, Australia. Prior to joining the firm she participated in a LL.M. program in international IP law at the Technical University of Dresden and the Queen Mary University of London.

49-30-72-616-8226