Thursday, October 20th, 2016 (4:24 pm) - Score 2,361

Every device that connects to the Internet needs an Internet Protocol (IP) address to be assigned by your broadband / mobile ISP, but is that address “personal“? According to a new ruling from the European Court of Justice (ECJ), yes it is.. sort of.

Firstly, we should point out that IP addresses tend to either be Static (i.e. the address stays the same even after you disconnect), Dynamic (i.e. the address may change if you have to reconnect) or Dynamic CGNAT / Shared (i.e. the address may change, but it can also be shared by other users at the same time as yourself). Most people connect via the dynamic system, while business connections usually adopt a static one.

The next thing to consider is that an IP address connects to a device (e.g. broadband router), which usually belongs to the bill payer. But the service itself could also be shared between many other users, such as on a public WiFi or business network. On top of that your IP address, which is owned by the network operator, is exposed to the Internet as you surf around and use different services (i.e. you have to share your IP with any server that you wish to access and all of those in-between).

In that sense a dynamic IP address isn’t strictly personal information because you can almost never be sure of the exact user. However some do contend that if, for example, vehicle registration marks are seen as personal data then so should be the same for an IP. But of course cars are much more strictly licensed, owned, taxed and drivers can be identified directly by using eyes or cameras etc. The Internet is more complex.

However we now have an interesting case, which was pushed by Patrick Breyer (German Pirate Party) against the German Government. Patrick accessed a number of websites run by the German government and was unhappy to find that his IP address, along with other data, was being stored in log files and that they were searchable by third-parties.

The former is fairly normal (all websites know your IP in order to process requests and for security measures etc.) and so is the latter because nearly all websites gather statistics that include IP data, which is often processed by third parties like Google etc.

But the German government dismissed Patrick’s complaint and his subsequent appeals because he was using a Dynamic IP (i.e. the actual user / owner couldn’t be accurately identified) and so he took his case to the ECJ, which was asked to consider the following two points.

ECJ Points for Review (1) Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject? (2) Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?’

The ECJ has now ruled that, in the case of no.1 above, the directive “must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.”

In short, a dynamic IP address can technically now be considered personal information, assuming you can legally get the associated ISP to help with that identification (easier said than done). It’s a decision that could have far reaching ramifications, not only for Governments but also almost anybody who runs an Internet service or website in the EU. Tracking, processing and logging of IPs is a big part of how Internet services work.

However on point no.1 the ECJ did recognise that it “must be determined whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.”

The court noted that identification of the data subject may run into problems if it’s “prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”

Most ordinary websites would neither be able, nor have the resources or desire, to go through the courts in order to identify one of their users, which is also assuming they even have a viable IP address or legal grounds to make such a request to an ISP in the first place (plus the ISP may not even hold the data). This is an IP address that, we must not forget, is neither created nor owned by the Internet user. Fun.

As for no.2, the ECJ ruling didn’t change much and confirmed that “an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user” (a little ambiguous, as perhaps intended).

The full ruling can be read here and at this stage some aspects still appear open to interpretation, which may need to be tested in further cases before we know precisely how this might affect the wider online world.

UPDATE 21st October 2016

It’s been noted to us by Patrick Breyer himself that the English translation of the judgement (as linked above), which was originally made in French, suffers from what may be a small but critical flaw in the language.

Paragraph 49, which concludes the outcome for point no.1, states: “where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.” But the French version reads, “lorsqu’il dispose de moyens légaux lui permettant de faire identifier la personne concernée grâce aux informations supplémentaires dont dispose le fournisseur d’accès à Internet de cette personne.”

Now my French is appalling and I wouldn’t trust any of the online translators with this, but in Breyer’s view the French version actually translates to “let [a third party] identify.” Put another way, while also taking account of Paragraph 47 (“competent authority … can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings“), even if the data processor has no legal means of identification, its data can be identified by other processors and that suffices to make it personal data.

So in theory it is not required that the website operator can identify a user, instead it is sufficient that he/she can merely have him identified by the authorities. On the other hand the ECJ was not tasked with deciding on some of the wider issues, such as whether website operators may retain IP addresses in bulk or whether the users privacy rights prevail. No doubt future cases may have to examine those.