The Court of Justice of the European Union ("CJEU")
has ruled that dynamic IP addresses can constitute
Dynamic IP addresses, registered by a website provider when an
individual accesses its website, shall constitute personal data
where the operator has the legal means to combine the data
with additional data (held by the internet service provider) to
identify the data subject.
What is a "dynamic IP address"?
An IP (Internet Protocol) address is a unique number assigned to
every device on a network. The IP address identifies the device on
the internet. Most devices use dynamic IP addresses, which
are assigned by the network when they connect and change over time
(whereas static IP addresses do not change).
Whether a dynamic IP address constitutes personal data has been
a grey area for quite some time, so the CJEU's ruling in
Breyer v Bundesrepublik Deutschland (Case C-582/14) takes
us a step closer toward legal certainty on the topic.
Question for the CJEU
Mr Breyer brought an action alleging that dynamic IP addresses
were personal data, and challenged the collection, use and storage
of them by the website providers. The case eventually made its way
to the German Federal Court of Justice, which then referred a
question to the CJEU: does a dynamic IP address constitute personal
data under Article 2(a) of the Data Protection Directive
It was recognised that dynamic IP addresses, alone, do not
provide the website provider with enough data to identify users.
The website provider needs to obtain additional data held by the
internet service provider. The CJEU, however, looked to what
"legal means" existed to enable the website provider to
obtain the necessary additional data from the internet service
provider in order to identify the data subject.
Here, the court said that in the event of cyber attacks, legal
channels existed, enabling the website provider to obtain that
additional information. For that reason, it was held that these
dynamic IP addresses did constitute personal data.
The court did qualify this and said that it must be determined
whether the possibility to combine the dynamic IP address with
other data constitutes a means likely to be used to identify the
data subject. The question, therefore, is, does it require a
"disproportionate effort"? This is to be measured in
terms of time, cost and man-power.
Do we have legal certainty?
To some degree, yes. However, the CJEU has qualified this with a
new test, "disproportionate effort". Whether this will
add to, or settle, the confusion is yet to be seen.
What we do know is that it is accepted that a dynamic IP address
could constitute personal data. This happens to be in line
with the new General Data Protection Regulation which has expanded
the definition of "personal data" to include "online
identifiers"; but that is not scheduled to come into effect
until 25 May 2018.
Website providers will therefore need to act sooner and review
their processes for collecting, using and storing dynamic IP
addresses to consider what implications this decision might have
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).