On 19 October 2016, the Court of Justice of the European Union
(the "ECJ") handed down its judgment in Case 582/14,
Patrick Breyer v the Federal Republic of Germany, holding
that, under specific circumstances, dynamic IP addresses can be
classified as personal data. Earlier this year, Advocate
General Manuel Campus Sanchez-Bordona had issued his opinion on the
case (See, VBB on Business Law, Volume 2016, No. 5, p. 7,
The case arose out of a request for a preliminary ruling by
Germany's highest civil court, the Bundesgerichtshof, in
proceedings between Mr Breyer and the Federal Republic of Germany.
Mr Breyer sought to prevent Germany (the "Website
Operator") from registering and storing dynamic IP addresses
assigned to him when he had accessed several internet sites
operated by German Federal institutions. Some devices have static
IP addresses that are permanently assigned, but most have dynamic
IP addresses which are attributed on a temporary basis and change
with each new internet connection. For this reason, a dynamic IP
address cannot generally provide a website operator with sufficient
information to identify an individual user, unless the operator
obtains additional information from the Internet service provider
("ISP") which assigned the address to the
Mr Breyer argued that dynamic IP addresses were personal data
and, therefore, according to German Telemedia Law, consent would be
required for the Website Operator to process the data in that way.
Germany retorted that dynamic IP addresses were not personal data
because the information did not relate to an "identified or
identifiable person" as required by Article 2(a) of Directive
95/46 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data
(the "Data Protection Directive"). This led the
Bundesgerichtshof to refer two questions to the ECJ.
The first question was whether a dynamic IP address can
constitute personal data if a third party, such as an ISP, holds
additional data which links the dynamic IP address to its
corresponding users. In its response, the ECJ observed that
it appeared that there is a possibility in German law for the
Website Operator to contact a competent authority who could then
obtain, from the ISP, the information required to identify the
person. This observation led the ECJ to conclude that dynamic
IP addresses are personal data, if website operators have legal
means to identify the person by using additional information which
the ISP has about that person.
The second question was whether a provision of national law can
limit the application of Article 7(f) of the Data Protection
Directive. That provision allows personal data to be processed
without consent if it is necessary for legitimate interest purposes
and is not overridden by the rights and interests of the person to
whom the data relates. German law only allows website providers to
collect and use personal data without consent to the extent
necessary to facilitate, and charge for, the specific use of those
services and not for the general operability of the service.
In deciding that the German law should be interpreted in line
with Article 7(f) of the Data Protection Directive the ECJ noted
that the ground under Article 7(f) was wider than the limited
circumstances provided for in German law. Moreover, the Court
stated that the German law was too restrictive because it excluded
the possibility to balance, in each case, the legitimate objective
of ensuring the general operability of the website against the
interests or fundamental rights of its users, as required under EU
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).