On 19 October 2016, the European Court of Justice rendered a decision in the infamous Breyer case, which provided more clarification as to the qualification of personal data in our continuously growing digital economy. The Court ruled that dynamic IP addresses can constitute personal data even when the data controller must seek additional information from a third party in order to truly identify a person. The implications of this outcome are not to be underestimated, especially given the liability and compliance obligations of controllers, which are a lot more lenient when the data in question is not considered “personal” data. It also remains to be seen how this decision will relate to the harmonization attempts of the GDPR as Breyer seems to leave the door open for interpretation depending on other national laws that affect the concept of personal data.
Dynamic IP addresses
The case was referred to the CJEU by the German Bundesgerichthof (the Federal Court of Justice) back in October 2014. It had been initiated by Mr. Patrick Breyer, who filed proceedings against the Federal Republic of Germany for the registration and storage of his internet protocol address (“IP address”) upon his visits to several websites operated by German Federal institutions. Most of these websites log specific information on each visitor, such as terms entered in search fields on the website, the time at which access to the website has been sought and whether this access was successful, the amount of data transferred and also the IP address of the computer that seeks access to the website.
The CJEU had answered a similar question in the Scarlet Extended decision, in which it decided that IP addresses are “protected personal data because they allow those users to be precisely identified“. Of course there, the Court was asked to rule in a case where both the collection and identification of IP addresses were carried out by one and the same entity (the Internet service provider) whereas here, the website collecting the IP address must call upon a third party (the internet service provider) to identify the user. The specific question referred to the CJEU in the Breyer case was to establish whether, to a public authority owner of a website with no additional knowledge enabling it to identify an individual, dynamic IP addresses must be considered personal data if it is able to obtain additional information allowing identification from the internet service provider. A dynamic IP address is more tricky than its ‘static’ counterpart, because it changes upon each connection a device makes to the internet. Because internet service providers keep records of which device was assigned with which specific IP address and at what time, they have all the tools to link the IP address to an individual and as such identify a person.
Implications of the concept personal data
The concept of personal data lies at the core of the data protection framework. The framework namely only applies to personal data, which is “any information relating to an identified or identifiable natural person” where “an identifiable person is one who can be identified, directly or indirectly“. This logically excludes anonymous data, a concept strongly encouraged by the current data protection framework of Directive 95/46/EC. Because fully anonymizing data appeared challenging in practice, the new data protection framework of the GDPR incentivizes pseudonimyzing data to reduce privacy risks, which exists in the separation of data from direct identifying elements so that a person cannot be identified without additional information. Under the GDPR, controllers are also under specific obligations of compliance when processing personal data and are held accountable for any non-compliance with those obligations.
Mere possibility to obtain additional information for identification suffices
The Court ruled that dynamic IP addresses are personal data to an online media services provider (the website) if it is reasonably able to obtain the additional information necessary to identify a person from the internet service provider. In particular, the Court considered that in case national laws exist allowing for the online media service provider to contact the competent authority and obtain the information through subsequent criminal proceedings, this fulfils the condition of “means likely to be reasonably used”. As the final decision taken by the competent authority to pursue the case in the end is discretionary and unpredictable, the Court hooks the concept of ‘personal data’ to the mere possibility of obtaining this information, facilitated by national legal options available to the controller at that specific moment in time. In this particular case, the Court evaluated the legal means available to the data controller under German law in the case of cyber attacks and concluded that German law made available a “means likely reasonable to be used”, namely to contact the competent authority and obtain the necessary information in a criminal proceedings context.
Breyer and the GDPR
Breyer’s strong reliance on the national legal options made available to the data controller suggest that the concept of personal data and, thus, the application of the data protection framework altogether can be made dependent upon national provisions in place in other domains such as criminal law. As such, (ano)the(r) door is left open for national disparity in the newly created data protection framework of the GDPR, a framework precisely created for harmonization purposes. It remains to be seen how the different Member States will act upon and apply Breyer to ensure the application of Breyer in the context of dynamic IP addresses.
A technique strongly encouraged by the GDPR to ensure a maximum of risk associated with data processing is reduced, is the pseudonymization of data (defined in the GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information“). Although pseudonymous data is not exempt from the GDPR altogether, it does enjoy more “relaxed” requirements and can thus be a useful tool to data controllers. As Breyer has lowered the standard for pseudonymized data in that individuals can already be considered “reasonably likely” identifiable when national laws permit the controller to obtain the necessary information from the ISP through uncertain criminal proceedings, it remains questionable how this will rhyme with the pseudonymization incentives of the GDPR, which adopts a far more relaxed approach as to the “reasonably likely” criterion.