On 19 October 2016, the Court of Justice of the European Union (the "ECJ") handed down its judgment in Case 582/14, Patrick Breyer v the Federal Republic of Germany, holding that, under specific circumstances, dynamic IP addresses can be classified as personal data.  Earlier this year, Advocate General Manuel Campus Sanchez-Bordona had issued his opinion on the case (See, VBB on Business Law, Volume 2016, No. 5, p. 7, available at www.vbb.com).

The case arose out of a request for a preliminary ruling by Germany's highest civil court, the Bundesgerichtshof, in proceedings between Mr Breyer and the Federal Republic of Germany. Mr Breyer sought to prevent Germany (the "Website Operator") from registering and storing dynamic IP addresses assigned to him when he had accessed several internet sites operated by German Federal institutions. Some devices have static IP addresses that are permanently assigned, but most have dynamic IP addresses which are attributed on a temporary basis and change with each new internet connection. For this reason, a dynamic IP address cannot generally provide a website operator with sufficient information to identify an individual user, unless the operator obtains additional information from the Internet service provider ("ISP") which assigned the address to the device. 

Mr Breyer argued that dynamic IP addresses were personal data and, therefore, according to German Telemedia Law, consent would be required for the Website Operator to process the data in that way. Germany retorted that dynamic IP addresses were not personal data because the information did not relate to an "identified or identifiable person" as required by Article 2(a) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive"). This led the Bundesgerichtshof to refer two questions to the ECJ.

The first question was whether a dynamic IP address can constitute personal data if a third party, such as an ISP, holds additional data which links the dynamic IP address to its corresponding users.  In its response, the ECJ observed that it appeared that there is a possibility in German law for the Website Operator to contact a competent authority who could then obtain, from the ISP, the information required to identify the person. This observation led the ECJ to conclude that dynamic IP addresses are personal data, if website operators have legal means to identify the person by using additional information which the ISP has about that person.

The second question was whether a provision of national law can limit the application of Article 7(f) of the Data Protection Directive. That provision allows personal data to be processed without consent if it is necessary for legitimate interest purposes and is not overridden by the rights and interests of the person to whom the data relates. German law only allows website providers to collect and use personal data without consent to the extent necessary to facilitate, and charge for, the specific use of those services and not for the general operability of the service.

In deciding that the German law should be interpreted in line with Article 7(f) of the Data Protection Directive the ECJ noted that the ground under Article 7(f) was wider than the limited circumstances provided for in German law. Moreover, the Court stated that the German law was too restrictive because it excluded the possibility to balance, in each case, the legitimate objective of ensuring the general operability of the website against the interests or fundamental rights of its users, as required under EU law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.