CJEU rules IP addresses may constitute personal data
On 19 October 2016, the CJEU ruled, in Breyer v Bundesrepublik Deutschland (Case C-582/14), that dynamic IP addresses may constitute "personal data" under the Data Protection Directive, where a website operator has the legal means of identifying the visitor by use of additional information held about him/her by the ISP. The decision confirms the stance taken by the Scarlet Extended (Case C-70/10) (at para. 51), where the CJEU essentially held that IP addresses are "personal data" because they allow those users to be precisely identified. However, that finding by the CJEU related to the situation in which the collection and identification of the IP addresses of internet users is carried out by ISPs.
The CJEU's decision in Breyer is, however, at odds with the approach taken by the Irish High Court, in EMI Records v Eircom  IEHC 108 which held that IP addresses were not personal data in the hands of record companies.
Although the decision does not refer to pseudonymous data, it supports the view of Article 29 Working Party and the Irish Data Protection Commissioner, that pseudonymous data, such as key-coded data, which allows identification using indirect means, may be "personal data" and fall within the remit of the Directive.
The German Court made a reference to the CJEU asking, firstly, whether a dynamic IP address (which changes each time there is a new connection to the internet) constitutes "personal data" in the hands of a website operator. The referring court’s question was based on the premise that data consisting in a dynamic IP address do not, without more, give the website operator the possibility to identify the user, as only the ISP has the additional identifying data.
Secondly, the German Court asked whether the operator of a website may subsequently use visitors' data for the secondary purpose of ensuring the general operability of the website, and enable it to bring criminal proceedings where necessary.
The CJEU held that a dynamic IP address registered by a website operator, which is accessible to the public, constitutes "personal data" if the operator has the legal means to identify the visitor with the help of additional information held by the visitor's ISP.
The CJEU noted that recital 26 of the Directive states that, to determine whether a person is identifiable, account should be taken of "all the means likely reasonably to be used either by the controller or by any other person" to identify the said person. It held that that wording suggests that, for information to be treated as "personal data", it is not required that all the information enabling the identification of the data subject must be in the hands of one person. Therefore the fact that the additional data necessary to identify the user of a website are held not by the website operator, but by that user’s ISP provider does not exclude the dynamic IP addresses registered by the operator from constituting "personal data".
The CJEU found that German law does not allow the ISP to transmit directly to the website operator the additional data necessary for the identification of the data subject. However in the event of a cyberattack, legal channels exist for website operators to contact the competent authority, so that the latter may take steps to obtain information about the identity of an individual from the ISP that assigned the IP address, in order to bring criminal proceedings.
It was also held that website operators may have a legitimate interest in ensuring the continued functioning of their website which goes beyond each specific use of their publicly accessible websites.
The CJEU's decision in Breyer clarifies that IP addresses may be "personal data" where there is a legal means, reasonably likely to be used, to identify the user of the IP address, unless it requires a disproportionate effort in terms of time, cost and manpower. Accordingly, whether an IP address is "personal data" must be ascertained on a case-by-case basis.
Breyer also demonstrates that IP addresses may be "personal data" in the hands of a website operator, even where the identifying information is not transmitted by the ISP to the website operator (in this instance German law prohibited such transmission), so long as there exists a legal means to link the IP address to an identifiable individual.
Both IP addresses, and pseudonymous data, are also likely to be deemed "personal data" under the GDPR, once it comes into force in May 2018. Not only does the GDPR contain a broader definition of "personal data" which includes an "online identifier" (i.e. IP addresses) where it enables a person to be identified directly or indirectly, it also retains the "means likely reasonably to be used" test (in recital 26 of the GDPR) to determine whether an individual is identifiable.