The Court of Justice, with decision dated 19 October 2016, dealt with the issue of whether a dynamic internet protocol address (defined as an “IP address”) may be qualified as personal data and as such fall within the scope of the provisions under Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Court decided that the dynamic IP address should be qualified as personal data where the provider of the Internet web page has the legal means to obtain from the Internet service provider the additional information necessary for complete identification of the user. It should be added that an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as collection and use of the data are necessary to ensure the general operability of those services by that user.
The case considered by the European judges originated from two preliminary matters referred by the German Federal Court of Justice (Bundesgerichtshof). The German Court had to deal with the petition filed by Mr. Patrick Breyer, a German citizen, against the appeal decision that had partially rejected his claims. The case arose following access by Mr. Breyer of various Internet sites traceable to the German federal services which, as a way to oppose IT piracy, register user access for each site and store it in a file register. The stored user data includes the name of the site and accessed file, the words inserted in the search bars, the date and time of access, the volume of transferred data, the message of outcome of the access and the IP address of the PC from which access was made.
Following access, Mr. Breyer filed a petition before the German administrative courts, requesting that the German Federal Republic be prevented from storing – also via third parties – the IP address of the Internet website user and in particular that of Mr. Breyer with regard to the ongoing proceedings. Following rejection of the petition at first instance, on appeal the judge held that the dynamic IP address constitutes personal data only if the user has revealed his identity during access of the website. According to the appellate judge, only in such case the operator of the Internet site may be in a position to identify the user by connecting his or her name with the IP address of his or her computer. The dispute reached the German Federal Court, which referred the matter to the Court of Justice of the European Union. The referred question was whether a dynamic IP address registered by the operator of an Internet web site, following access by the user, amounts to a personal data pursuant to Directive 95/46/EC, with respect to the operator, only if a third party, and in particular the Internet access supplier of the user, possesses the necessary information to identify the user.
The Court of Justice of the European Union, after acknowledging that it is settled that the static IP address allows unambiguous and permanent identification of the device connected to the network, also stated that the provider of the Internet web page would be able to identify the user accessing the page via the IP address only on the basis of further information generally supplied by a third party (i.e. the Internet access provider of the user). For these reasons, in order to qualify a dynamic IP address as personal data, and as such consider it subject to the above mentioned Directive, according to the European Court, it is necessary to verify whether the possibility of combining a dynamic IP address with the additional information kept by the Internet access provider amounts to a means that may reasonably be used by the provider of the Internet page for identifying the user. With regard to the case at hand, the Court of Justice of the European Union noted that German law does not allow the provider of the Internet page to obtain from the Internet access provider, upon mere request, additional information capable of identifying the user who utilizes a dynamic IP address. However, there are legal means that allow the provider of online media services facing cybernetic attacks to contact the competent authority, which may adopt the necessary measures in order to obtain the relevant information from the Internet access provider and thus commence criminal proceedings.
On those grounds, the Court of Justice of the European Union concluded that the dynamic IP address registered by the operator an Internet web page, following access by a user, only amounts to personal data if the operator has the legal means that allow it to identify the user via additional information possessed by the Internet access provider. It follows that the operator of the Internet page may collect and use personal data relating to a user of those services, without his or her consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after consultation of those websites.