On May 12, 2016, the Advocate General of the European Court of Justice (“ECJ”) Campos Sánchez-Bordona presented his conclusions in Patrick Breyer v. Bundesrepublik Deutschland (case C‑582/14). The case deals with dynamic IP addresses, i.e. those IP (“Internet Protocol”) addresses dynamically assigned to a device by an access provider (usually a telephonic carrier).
Mr. Breyer filed for an injunction against Germany to obtain the discontinuation of its practice of memorizing dynamic IP addresses.
The lower court refused to grant the injunction, while on appeal, Mr. Breyer obtained a partial victory. Both Mr. Breyer and Germany appealed to the Bundesgerichtshof, which suspended the proceeding and raised several questions for the ECJ to decide.
Particularly interesting is the question of whether Article 2(a) of EU Privacy Directive 95/46 must be interpreted in the sense that a user’s IP address memorized by a provider with reference to user’s access to its website, is “personal data” if there is a third party (here access provider) which possesses additional information which is necessary to identify the user.
The Advocate General refused to agree on a broad interpretation according to which it would be sufficient that a TP exists from which it is possible to obtain additional information, which – in association with the IP address – would allow the identification of a user, to find that IP addresses are personal data. If that were the case, since we could never exclude a TP is in possession of additional information, everything would be personal data.
However, the Advocate General points out that this is not the situation we are discussing here. Here we have a specific TP (the access provider) who is for sure in possession of additional data, which – in association with the IP address – is able to identify any user who accesses a webpage.
The Advocate General opines that “Whereas 26” of Directive 46/1995 is relevant to answer the question. Whereas 26 recites:
Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable …
The focus of this provision is on “the means likely reasonably to be used either by the controller or by any other person to identify the said person”: likelihood and reasonableness of obtaining the additional information are the essence of the matter: if the additional information can be obtained only at a high price, with great difficulty, or breaking the law, that situation would not be covered by Whereas 26 (and Article 2.)
This is not the situation to which the Bundesgerichtshof refers. The TP in question is an access provider, which is not a hypothetical, unknown, and inaccessible TP. We are talking of one of the main players in the internet world, which is known to have all the information necessary to identify users.
For these reasons the Advocate General opines that the ECJ should answer “yes” to the issue raised by the Bundesgerichtshof: the dynamic IP address must be qualified as personal data with respect to the internet service provider, because there is a TP (the access provider) from which the internet service provider can reasonably obtain additional information that allows – in association with the memorized IP address – the identification of users.
The Advocate General concludes that Article 2(a) of the Directive must be interpreted in the sense that a memorized IP address is personal data with respect to an internet service provider if there is an access provider that is in possession of the additional information allowing the identification of a user.
Full text of the opinion here: Spanish, German, French (English language not available).
For more information, Francesca Giannoni-Crystal.