European Court of Justice finds that Dynamic IP addresses can be personal data

First published in Business Connect, the magazine of the American Chamber of Commerce.

By Daniel Corcoran, International General Counsel of Marchex, Inc. and Mitko Karushkov, Partner TMT, Kambourov & Partners

What is new
On 19 October 2016, the European Court of Justice (“the Court”) answered an open question about the nature of dynamic IP addresses and how they may be considered personal data.

It is in the context of rapidly advancing sorting and identifying technology, combined with an abundance of individual data points today, that the Court considered the case of Patrick Breyer v. Federal Republic of Germany. 
In practical terms, the judgement of the Court means that when a person accesses online content made available to the public by an online media service provider the “log file data” of such access shall have the regulatory nature of personal data. The key point here is the access to have been made through a dynamic IP address.

An IP address is essentially an identifier related to a device, whether a computer or phone. This address is used by electronic communications networks or Internet service providers to allow access and deliver services. An IP address can be static or dynamic. The static IP address is often a single identifier that may be assigned to a device; its persistent nature allows for easy identification of a device and an individual and is mainly considered personal data as a result.

The European Court of Justice already stated in 2011 that IP addresses ‘are protected personal data because they allow those users to be precisely identified’. This statement of the court, however, addressed the IP addresses from the perspective relating to Internet service providers. 
The extension made by the 2016 judgement of the Court is that now it will be online media service providers, which shall consider the dynamic IP addresses as personal data.

The dynamic IP addresses are constantly changing and may be less easy to associate with a device and therefore an individual. This approach would appear to be an effective means of masking the device or individual and therefore avoid collection of personal data in the process of providing services.

The status of Dynamic IP addresses as of 2016
In the case ruled by the Court in 2016 Mr. Breyer challenged the German government’s practice of logging the dynamic IP addresses of persons accessing its websites. It was claimed that this collection amounted to the improper use of personal data: dynamic IP addresses when combined with additional information, could be used to identify an individual.

The question before the Court was whether the European Directive must be interpreted as meaning that an IP address which an online media service provider stores when its website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional data required in order to identify the person accessing the website.

The Court relied on a fact-based approach in considering the nature of the data and also clarified whether online services providers have the opportunity of potentially identifying an individual and whether it has the legal and practical means to do so with additional data from a third party.

The Court ruled that dynamic IP addresses may constitute ‘personal data’ where a third party possesses additional data relevant to identify the individual and this third party (e.g. Internet service provider) can be legally and practically asked to provide this additional data. The combination of data must be by a ‘means likely reasonably to be used to identify’ the individual.

Practical aspects
Online content operators, providers of mobile apps, third party cookie IDs should review and possibly adapt their practices and contractual frameworks from the perspective of the Court ruling. It is irrelevant whether these companies/ organizations are private, public or governmental.

Individuals accessing public online content should be aware that traveling with their laptop away from home/ office or selecting a random connectivity network on their device would lead to their potential identification.
EU Member states shall need to comply their regulations and rulings with regards to the dynamic IP addresses.

Approach in the United States
As a point of comparison, in the US, the Federal Trade Commission (“FTC”) has provided some guidance through public speeches and statements. In April of 2016, Jessica Rich, Director, FTC Bureau of Consumer Protection wrote: “We regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The FTC has avoided making any formal or strict characterization of browser and device identifiers as ‘personally identifiable’ information for purposes of Section 5 of the FTC Act. A number of Federal Courts have ruled in ways that would make such a statement difficult.

Nonetheless, recent pronouncements and evolving guidance reinforce the statement about linkage to specific individuals. In its 2012 Report on Protecting Consumer Privacy in an Era of Rapid Change, the FTC concluded that privacy protections apply “even if the individual pieces of data do not constitute PII [Personally Identifiable Information], ‘as long as the consumer data “can be reasonably linked to a specific consumer, computer, or other device’.

Similarly, in the FTC’s 2013 amendments to the Children’s Online Privacy and Protection Act, the FTC defined “personal information” to include “persistent identifiers,” such as IP addresses, but only when such persistent identifiers are used to track users over time and across websites or online services.

Essentially, the FTC can be expected to analyze the facts: In cases where the IP address can be combined with other information to recognize a specific user, the IP address would likely be treated as personally identifiable information. However, Ms. Rich confirms that no change has been made to the FTC position ‘all forms of personal information don’t need the same level of protection’ and that the protections should be ‘appropriate to the risks’.

This flexibility allows providers to consider the facts and purposes; In the US, companies should be able to handle IP addresses and other persistent identifiers differently than other more transparent types of personal information (such as names and addresses).