The European Court of Justice (“CJEU”) finally issued its long-awaited judgment on dynamic IP addresses (judgment in Case C-582/14: Patrick Breyer v Bundesrepublik Deutschland). The judgment will have a general impact on how to define ‘personal data’ beyond dynamic IP addresses, in particular on the question of whether a so-called ‘subjective/relative approach’ or ‘objective/absolute’ approach needs to be applied in this respect (which also affects more general questions like anonymisation, big data etc.).
The court ruled that dynamic IP addresses may constitute ‘personal data’ even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual – but only under certain circumstances: The possibility to combine the data with this additional data must constitute a “means likely reasonably to be used to identify” the individual (the court assumed such means for Germany). The so-called ‘absolute/objective approach’, that is applied in some Member States and according to which data is already considered to be ‘personal data’ if any third party (worldwide) is able to determine the identity of the individual, was not applied (unfortunately the court did not expressly refrain from this concept). The CJEU favoured a more ‘subjective/relative approach’ that focuses on the online media service provider’s possibility of (potentially) identifying an individual and whether it has the legal and practical means which enable it to do so with additional data a third party has about that person (this means third party knowledge needs to be considered but only to certain extent).
In its judgment, the court also deemed a restrictive interpretation of a German law provision that allows only for limited use of personal data in the telemedia/online context to be not in line with the EU-Data Protection Directive 95/46/EC (“Directive”) if it does not give any consideration to the concept of legitimate interest. The court held that legitimate interests must be considered and must constitute a legal justification beyond the restrictive provision of the German Telemedia Act. It therefore reconfirmed its earlier (but in many Member States in practice still often disregarded) view on the level of harmonisation provided by the Directive (see judgment of 24 November 2011, Cases C-468/10 and C-469/10: ‘ASNEF and FECEMD’). The judgment may have a considerable practical impact on online analytics and targeting (so-called “Profiling”), which is very strictly regulated in Germany and so far only possible to very limited extent.
In more detail:
The German Patrick Breyer took legal action against the Federal Republic of Germany as the operator of publicly accessible websites on which German public institutions supply topical information. He sought, based on data protection law, a prohibitory injunction against the Federal Republic of Germany as the website-operator because it stores IP addresses of visitors to their websites for cyber security reasons.
The German Federal Court of Justice referred the case to the CJEU asking
The answer to this (first) question depends on the circumstances of the specific case.
The plaintiff Mr. Breyer asserted that dynamic IP addresses qualify as personal data and are therefore subject to the relevant German data protection law requirements, the German government took (acting on behalf of the Federal Republic of Germany) a contrary view; arguing that only internet service providers would be able to allocate IP addresses to individuals. So far the CJEU has only decided that for internet service providers IP addresses qualify as personal data (see judgment in Case C-70/10: ‘Scarlet Extended’,), but it had not been answered yet whether this is also true for online media service providers, e.g. website operators (which includes any company which runs a company website).
The CJEU essentially decided that dynamic IP addresses collected by an online media service provider only constitute personal data if the possibility to combine the address with data necessary to identify the user of a website held by a third party (i.e. user’s internet service provider) constitutes a mean “likely reasonably to be used to identify” the individual.
The court emphasises, in accordance with the opinion of the Advocate General, that this would not be the case
“if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”
This implies that the question as to whether ‘personal data’ is at hand also needs to be assessed on a case-by-case basis with view to the respective local law provisions. In the present case the court concluded that in particular
“in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.”
The CJEU therefore assumed, subject to the final assessment of the referring German Federal Court of Justice, that
“the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored.”
The judgment will have a general impact on how to define ‘personal data’ (or ‘anonymous data’) that goes far beyond the question of whether dynamic IP addresses constitute personal data. The court basically stated: (i) that it is not sufficient that only a third party may identify the individual with the data it holds, (ii) that additional data that is held by third parties necessary to identify an individual is in relation to a party only relevant if the possibility to combine this data constitutes a “means likely reasonably to be used to identify” the individual which requires (iii) that the identification of the data subject must be legally and practically possible for that party (without disproportionate effort in terms of time, cost and man-power).
Overall, the court indicated that the concept of ‘personal data’ generally needs to be assessed based on a ‘subjective/relative approach’, since according to its judgment it is not sufficient that any third party worldwide (like the internet access provider in the above mentioned ‘Scarlet Extended’-case) is possibly able to determine the identity of the individual (as it would be assumed under the so-called ‘absolute/objective approach’ - this approach is relied on (to different extent) by many European data protection authorities – “DPAs”). It looks at the party that holds the data (i.e. online media service provider) and the available means of identifying an individual by combining it with third party knowledge. Unfortunately, the court did not expressly refrain from the ‘absolute/objective approach’.
The second question that was to be decided by the court relates to the legal basis for the processing of personal data.
German law provides for strict data protection rules for telemedia services. According to section 15 (1) of the German Telemedia Act, a service provider may collect and use a user’s personal data without his consent only in so far as the collection and use of that information are necessary
The German Federal Court of Justice raised the question whether such a rule, that precludes a justification based on legitimate interests (Article 7(f) of The Directive) to use the data after the period of consultation of the website/online media service to ensure the general operability of those services, is in line with EU-law.
The CJEU denied this and reconfirmed its earlier decision that the Directive sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful, amongst others on the basis of legitimate interest (see judgment of 24 November 2011, Cases C-468/10 and C-469/10: ‘ASNEF and FECEMD’). According to the court, this precludes
“Member States from excluding, categorically and in general, the possibility of processing certain categories of personal data without allowing the opposing rights and interests at issue to be balanced against each other in a particular case. Thus, Member States cannot definitively prescribe, for certain categories of personal data, the result of the balancing of the opposing rights and interests, without allowing a different result by virtue of the particular circumstances of an individual case.”
This means that, contrary to the current prevailing academic opinion in Germany, German law cannot per se be interpreted to prevent online media service providers (such as website operators) to store IP addresses in order to guarantee the security and continued proper functioning of the media service without giving consideration to a possible legitimate interest of this provider.
It was expected that the CJEU would provide clear guidance on how to interpret the concept of ‘personal data’ with view to ‘identifiable natural persons’. It could have been clearer. At the end of the day it is still a question of the individual case as to whether dynamic IP addresses and other data constitute ‘personal data’, mainly subject to the legal and practical means that are available under the respective local laws to the respective party in order to identify an individual. Since the court basically interpreted this question from the perspective of the online media service provider, it seems that it favours a ‘relative approach’ (see in this respect also the Opinion of the Advocate General). Whether a strict ‘objective/absolute approach’ will in fact no longer be applied by courts and DPAs in practice needs to be seen (anything else would be difficult to justify in our view in light of this ruling). The CJEU’s decision will in any case also be relevant for the interpretation of ‘personal data’ under the General Data Protection Regulation (“GDPR”) which will apply from 25 May 2018 according to which the qualification of personal data requires similar interpretation efforts.
The judgment may further have a massive practical impact on the admissibility of Profiling in Germany. Under the current regime, Profiling is subject to very strict rules in Germany – arguably the strictest in the EU. According to section 15 (3) of the German Telemedia Act Profiling may (at least according to the prevailing legal view in Germany) only take place (i) if it is covered by the users' consent, (ii) if the respective data is anonymised, or (iii) if – but only for certain limited purposes – it is undertaken on basis of pseudonymised data (subject to further requirements).
Even though the CJEU did not expressly comment on these rules, the reasoning of the judgment can generally also be applied to this provision (though it has to be seen how the legal practice develops in this respect in Germany). The court expressly stated (confirming his earlier ‘ASNEF and FECEMD’-judgment; see above) that
“Member States cannot definitively prescribe, for certain categories of personal data, the result of the balancing of the opposing rights and interests, without allowing a different result by virtue of the particular circumstances of an individual case.”
Given that the judgment concerns another paragraph of the same legal provision, there is a strong(er) argument that in Germany online Profiling may be based on legitimate interest (like in other EU-Member States). It can only be hoped that (until the GDPR will become effective) German DPAs and courts share this view and will adapt their practice respectively. Considering how clearly the CJEU reconfirmed its opinion on the level of harmonisation provided by the Directive it seems to be difficult to disregard the court’s jurisprudence any longer.