Lorna Woods reports on the recent judgment of the Court of Justice of the European Union and explains its implications
The Court of Justice has recently handed down a judgment dealing with the question of whether a dynamic IP address should be seen as personal data. Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland has some significance because rather than relating to the relatively small class of ISPs (as previous case law has done – eg Scarlet Extended (Case C-70/10)), it applies to the operators of websites – a much larger and more diverse class of operators. On top of that, Breyer can add to our understanding of anonymity and identifiability for the purposes of determining personal data more broadly than the Internet context. Problematically, however, Breyer leaves a number of questions unanswered. Of course, the impact of Breyer – such as it is – may be limited given the approach of the General Data Protection Regulation (GDPR).
Some websites, such as those in issue here, keep a log of which pages have been viewed, when, and by which IP address. Patrick Breyer objected, relying on his data protection rights to prevent the German state, the operator of the site in question, from holding and further processing the information in the log. The issue of whether personal data was in issue was contested. Crucially, the IP address was a dynamic IP address, allocated by the ISP for the session rather than a static IP address with a permanent link to Patrick Breyer. While the ISP would have the records (for billing and for regulatory purposes) to link Breyer to the dynamic IP address used at particular times, the website operator would not. So, while the Court in Scarlet Extended (Case C-70/10) held in broad terms that the IP addresses of internet users were protected personal data because they allow users to be precisely identified, that case is different from the situation here. There, the ISP was tracing the user and held the necessary information so to do; here the website operator does not have all the information to allow identification. Data only fall within the scope of personal data triggering the data protection regime when they relate to an identified or identifiable natural person ('data subject') (Article 2 of the Data Protection Directive). The matter came before the Bundesgerichtshof (Federal Court of Justice, Germany), which made a reference to the CJEU on the meaning of Article 2a of the Data Protection Directive. It also referred a question on the scope of a processor's legitimate interest, as specified in Article 7 of the Data Protection Directive, to understand if the security of the website could justify the German Government in maintaining its logs after the relevant session had finished.
The first issue was whether the situation fell within the Data Protection Directive at all – ie was personal data involved? The CJEU noted that Article 2a envisages indirect as well as direct identification of a person. It continued that this phraseology means that an assessment of identifiability can take into account information beyond that contained in the data itself. Recital 26 provides that, in determining whether an individual is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person (at ). From this wording, the Court concluded (at ) that:
'for information to be treated as "personal data" within the meaning of Article 2(a) of that directive, it is not required that all the information enabling the identification of the data subject must be in the hands of one person'.
On this basis, the fact that the 'connecting information' is held by the ISP does not itself mean that the logs are not personal data within the meaning of the Directive. The question is whether it is likely that the operator could combine the necessary information. The Court approved the reasoning of the Advocate General on this point, paraphrasing it thus (at ):
'that would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.'
Given the possibility of cyber attacks on the website – which was the Government's justification for making and keeping the logs - the Court suggested (at ) that there would be 'legal channels' available to the website operator to obtain the information. On this basis, the website operator has the means reasonably to identify Patrick Breyer and the logs would constitute personal data.
This then brought the Court to the question of legitimate processing of the data, specifically Article 7(f), which justifies processing in the case of the controller's legitimate interests. The Court has held that Article 7 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful, which cannot be added to (ASNEF and FECEMD (C?468/10 and C?469/10), paras 30 and 32). The German statute only seemed to permit an exception for the actual use of a network or for actual billing purposes, and neither would lend support to some general 'purpose' of ensuring the security and functionality of a telecoms system. The relevant institutions running the websites in question 'may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites,' when protecting their sites against online attacks. They were therefore permitted to store IP addresses for this purpose, whether dynamic or static. The German legislation seemed to be narrower than the terms of Article 7, as indeed the Advocate General had suggested. This means that the German legislation was incompatible with the terms of Article 7.
In coming to its conclusion the CJEU seemed to take the relative approach in that it distinguished between the circumstances where there is an identified person in relation to the data and an identifiable one within the terms of Article 2a of the Data Protection Directive. In noting that the terms of the Directive allow for indirect identification, the Court opens the possibility for identification via third-party information as a matter of principle. Referring to Recital 26, the Court argued (at ):
'In so far as that recital refers to the means likely reasonably to be used by both the controller and by 'any other person', its wording suggests that, for information to be treated as "personal data" within the meaning of Article 2(a) …, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.'
Here, the relevant information is that held by the ISP, but it need not be limited to just ISPs.
What may not immediately be obvious is that the information provider need not be an entity with whom the data controller has an existing relationship: the existing relationship is between the end-user and the ISP and, possibly, the end-user and the web-site operator (even if the operator does not know who the user is). This has a further consequence: that the connection between the operator and ISP is functional in relation to the possibility of identification. The ISP only comes into the equation here because the ISP is the entity that has the information. If we left the analysis here, this could lead to a very broad scope indeed. Effectively, it could mean that if anyone has the ability to identify the individual, then the information should be considered to be personal data. Indeed, this seems to be the impact of an objective approach to identification. Both the Court and the Advocate General stopped short of this. The Court noted (at ):
'it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.'
As noted above, para 46 of the judgment gives more detail on the nature of the test: 'practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power'. On this basis the risk of identification is low.
It could be said that this effectively limits the circumstances in which personal data will be found, but looking at the facts of the case, is the approach of the Court persuasive? The basis of the log-keeping was a concern about DDOS attacks though it is not clear if DDOS attacks ever took place, nor whether the sites were peculiarly at risk in this regard. If not, surely any site might have such a concern and wish to have recourse to law to find the perpetrator. The Court does say this argument is subject to a legal feasibility test but in principle it is an argument that could apply to anyone. Further, the idea of needing recourse to the law to gain identifying data may arise in other contexts (eg copyright enforcement). This may then mean that the test for 'practically impossible' may be lower than first thought. If legal action to obtain the information in relation to cyber attacks is not disproportionate in terms of time, cost and man-power would other legal action be?
Of course, once within the data protection regime, the other requirements kick in, notably those regarding legitimate processing. Consent is not normally practicable in the web browsing environment, or at least not 'real' consent, so the other basis for processing are important. Here the Court followed its approach to Article 7(f) and the data controller's legitimate interests. Again, other website operators may run the argument about needing to keep a site online. What is important to remember here is that the legitimation relates to that purpose and does not underpin wider and further processing. So to say, as some Internet advertisers seem to think (https://pagefair.com/blog/2016/reprieve-for-it-departments-as-eu-court-rules-on-ip-addresses/), that all use of user data is acceptable, rather than that which contributes to the functioning of the site, is misreading the Breyer judgment.
On one level Breyer only tells us something we know already; that IP addresses have the potential to be personal data. Of course, the General Data Protection Regulation contains an expanded definition of personal data, which specifically includes online identifiers, like IP addresses. Breyer is a further reaching judgment than Scarlet Extended. In Breyer, the fact that a person may be identifiable means that those processing data will potentially be responsible for those of whom they have no knowledge. Moreover the judgment could affect any website operator keeping logs/analysing behaviour. What is not yet known is the extent to which this reasoning would apply to other forms of data, outside the Internet context.
Lorna Woods is Professor of Internet Law at the University of Essex.