Ip Addresses Equally Personal Information - The Cjeu's Judgment Inwards C-582/14 Breyer
November 22, 2018
Edit
Marcin Kotula, Legal Officer at the European Commission
The views expressed are purely those of the writer in addition to may non inwards whatever circumstances travel regarded equally stating an official seat of the European Commission
Background
In the Breyer instance the CJEU was asked yesteryear the High German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are personal information inside the pregnant of the EU Data Protection Directive in addition to to what extent they tin travel stored in addition to processed to ensure the full general operability of websites. Mr Breyer, the applicant inwards this case, is a High German pol in addition to privacy activist. He visited diverse websites of the High German federal institutions. The information well-nigh the IP addresses of the visitors (or to a greater extent than exactly of the owners of the devices from which the websites were visited) equally good equally the information well-nigh the holler of the accessed spider web page or file, the price entered inwards the search fields, the fourth dimension of access in addition to the quantity of information transferred is stored inwards the log files later the visit.
One of the aims of the storage of those information is to forestall cyberattacks in addition to enable prosecution of those who committed them. Mr Breyer did non concur amongst the storage of his IP address later the consultation of the websites in addition to inwards the proceedings earlier the High German courtroom he requested the High German regime to cease this practice. The instance eventually went upwardly to the High German Supreme Court which decided to essay interpretative guidance from the CJEU.
The questions of the High German Supreme Court were specifically focussed on dynamic IP addresses. These are less privacy-invasive than static IP addresses. The divergence betwixt them is that the dynamic ones modify amongst every novel connectedness to the cyberspace in addition to the static ones produce not. IP addresses are assigned yesteryear Internet Service Providers (ISPs) in addition to receive got the shape of a serial of digits. In principle, inwards itself they produce non reveal the identity of a specific natural mortal but tin travel combined amongst other information to seat the possessor of a device that connects to the internet. Typically such other information is at the disposal of the ISP. In its Scarlet Extended judgment of 2011 the CJEU clarified that, from the perspective of the ISP, IP addresses are personal data. However, inwards the Breyer instance the scenario was different. The High German federal institutions which run the websites exclusively had the IP addresses in addition to the additional information that is needed to seat the visitors of those websites was held yesteryear the ISPs. The CJEU was asked to clarify if the High German federal institutions (the information controllers) should care for the IP addresses equally personal information fifty-fifty if they are non inwards possession of this additional information.
The CJEU's analysis
In its judgment of nineteen Oct 2016 the CJEU referred to the Definition of personal information inwards Article 2(a) of the Data Protection Directive 95/46/EC. This Definition covers whatever information that relates to an private who is identifiable, either straight or indirectly. In consequence, information tin travel regarded equally personal information fifty-fifty if it does non itself seat a specific person.
Further indications on how to assess identifiability are given inwards Recital 26 of the Directive. This Recital clarifies that when determining if a given mortal is identifiable i should expect at all the way that the information controller or whatever other mortal are probable to reasonably exercise to seat the person. On the footing of those indications the CJEU went on to show if it is reasonably probable that the IP addresses held yesteryear the High German federal institutions volition travel combined amongst the additional information held yesteryear the ISPs. The CJEU followed the line taken on this betoken inwards the Opinion of the Advocate General (AG) in addition to stated that the combination would non travel reasonably probable if it was prohibited yesteryear police delineate or disproportionately hard inwards price of time, toll in addition to man-power. In the High German scenario, the ISPs are non allowed to straight transmit such information to website providers. On the other hand, inwards the lawsuit of cyber-attacks the website providers tin contact the competent authorities which so tin obtain the additional information from the ISPs. The availability of this legal channel led the CJEU to conclude that, for the High German federal institutions, the IP addresses of the visitors of their websites are personal information because these visitors tin travel identified amongst the attention of the competent authorities in addition to of the ISPs.
The CJEU so examined if the High German federal institutions tin shop in addition to procedure the IP addresses later the halt of the see of their website to ensure the full general operability of the websites. Under the relevant provisions of the High German Law on telemedia (Telemediengesetz - TMG) the collection in addition to processing of users' information is allowed exclusively inwards so far equally this is necessary to facilitate in addition to accuse for the specific exercise of the online service. This does non seem to include the role of ensuring the full general operability of the websites. The CJEU was so asked to clarify if the High German provisions are compatible amongst Article 7(f) of the Data Protection Directive. The latter Article authorises the processing of personal information when it is necessary for the legitimate interests of the information controller or of 3rd parties to whom the information are disclosed. This authorisation does non apply if the legitimate interests are overridden yesteryear the key rights in addition to freedoms of the mortal whose information is at stake (the information subject).
Since the maintenance of the operability of the websites in addition to the prevention of cyberattacks powerfulness ultimately Pb to criminal proceedings against the perpetrators the CJEU contemplated if the processing of IP addresses inwards such circumstances is non excluded from the Directive altogether. It looked into Article 3(2) start indent of the Directive which excludes the processing of personal information carried out inwards the context of criminal police delineate activities of the State. It concluded that inwards the scenario at mitt the High German federal institutions are non acting equally State authorities but rather equally individuals.
As far equally Article 7(f) is concerned the CJEU referred to its case-law (the ASNEF judgment of 2011). This judgment acknowledges that the legal bases for the processing of personal information that are laid upwardly out inwards Article vii of the Directive are exhaustive in addition to that the Member U.S.A. cannot add together whatever novel principles or impose additional requirements inwards that regard. Under Article v of the Directive the Member U.S.A. tin but specify the weather condition nether which the processing is lawful but this needs to remain inside the limits of Article vii in addition to of the objective of the Directive which seeks to smasher a residue betwixt the costless motility of personal information in addition to the protection of private life.
Against this background, the CJEU flora that yesteryear excluding the possibility of processing to ensure the full general operability of the websites the High German provisions learn farther than just specifying the weather condition of lawfulness. For the CJEU, these provisions should enable the balancing of the objective of ensuring the operability of the websites amongst the key rights in addition to freedoms of the users. Normally this balancing is to travel carried out on a case-by-case basis. The High German provisions exclude this possibility yesteryear categorically prescribing the resultant of this balancing from the outset.
Comments
The judgment of the CJEU is mostly inwards line amongst the previous case-law on the Data Protection Directive which tends to favour a broad interpretation of the principal concepts of the Directive, such equally the definitions of personal information in addition to of processing. This interpretation is also compatible amongst the take in of the Article 29 Data Protection Working Party which (in its Opinion of 2007) considers IP addresses equally personal information amongst exclusively i exception, i.e. of addresses allocated inwards cyber cafes or similar places where the users of computers are unremarkably anonymous.
The reply of the CJEU to the minute question, i.e. if the IP addresses tin travel processed to ensure the full general operability of the websites might, to a sure enough extent, travel opened upwardly to interpretation. On the i hand, the CJEU acknowledges that the role of ensuring the operability of the website is a legitimate aim of the High German federal institutions nether Article 7(f) of the Data Protection Directive. On the other hand, it reminds that such legitimate aims must travel weighed against the key rights in addition to freedoms of the information subjects. Thus, it would seem that the provider of the website powerfulness non ever travel allowed to retain IP addresses without whatever farther considerations. Instead, he powerfulness demand to weigh the opposing interests when assessing private situations. The CJEU itself does non piece out the criteria which should travel taken into trouble concern human relationship when carrying out this sort of assessment.
An interesting proposition was made inwards the Opinion of the AG. When analysing the wording of Recital 26 which reads that the assessment of the identifiability of a mortal must expect at all the way that powerfulness travel used non exclusively yesteryear the information controller but also yesteryear whatever other mortal he comes to the determination that the formulation "any other person" should rather travel understood equally pregnant exclusively sure enough 3rd parties which are accessible to the information controller in addition to which the latter powerfulness reasonably approach to obtain the additional information. The CJEU did non address this number inwards its judgment but yesteryear analysing exclusively the selection where the High German federal institutions plough to the authorities that are competent to prosecute cyberattacks which so approach the ISPs to obtain the additional information the Court stayed inside the limits of the proposition lay forwards yesteryear the AG because these 2 3rd parties were either straight or indirectly accessible to the federal institutions. On the other hand, the enquiry of the High German courtroom specifically mentioned the ISPs equally the origin of the additional information in addition to did non inquire well-nigh other possible scenarios.
Another interesting betoken was made inwards the course of teaching of the CJEU's analysis of whether the processing of IP addresses tin travel excluded from the Data Protection Directive equally an activeness of the State inwards the expanse of criminal law. Both the Court in addition to the AG did non encounter whatever room for this exclusion to apply inwards the instance at mitt because the High German Federal institutions were non acting inwards their capacity of populace authorities when they processed the IP addresses. For the CJEU in addition to the AG they acted equally individuals. However, the term "individual" is unremarkably used equally a synonym for "natural person". For representative the amount titles of European Union in addition to international information protection instruments refer to the "protection of individuals amongst regard to the processing of personal data" (Data Protection Directive 95/46, Regulation 45/2001, Convention No. 108 of the Council of Europe).
This powerfulness travel of import inwards the context of roughly other exclusion nether the Data Protection Directive, namely the exclusion of the processing of personal information yesteryear natural persons inwards the course of teaching of a purely personal or menage activity. Although it seems counterintuitive for a populace authorization to invoke an exception that is intended for natural persons it does non seem to travel impossible when looking at the case-law of the CJEU on the exclusions. Out of the 3 CJEU cases which dealt amongst the latter exclusion, 2 of them (Rynes, Lindqvist) related to situations where personal information was indeed processed yesteryear a natural person, but the Satamedia case involved the processing yesteryear a private company.
In Satamedia, the CJEU on the i mitt concluded that Satamedia in addition to Markkinapörssi were private companies in addition to so could non rely on the exception for the State activities inwards criminal law. On the other hand, it so analysed if their processing could non travel excluded equally a purely personal or menage activeness in addition to rejected this selection because the companies inwards enquiry were making the collected information accessible to an unrestricted number of people. Given the CJEU's in addition to the AG's theater assertion inwards the Breyer instance that the High German federal institutions were processing IP addresses equally individuals in addition to the fact that the CJEU did non dominion out this selection inwards the instance of private companies it seems possible to envisage a populace authorization invoking the private in addition to menage exclusion. In whatever event, the noun weather condition attached to the personal in addition to menage exception are rather strict. In all of the 3 previous CJEU cases mentioned inwards a higher house this exclusion was rejected because the information inwards enquiry was published on the internet, made accessible to an unrestricted number of people or was exterior the private setting of the mortal who collected it (videosurveillance of populace spaces).
Finally, the scenario inwards the Breyer instance seems to travel really similar to pseudonymisation of personal data, i.e. a concept introduced inwards the novel General Data Protection Regulation (GDPR, which volition apply from 25 May 2018) in addition to defined therein as "the processing of personal information inwards such a mode that the personal information tin no longer travel attributed to a specific information dependent area without the exercise of additional information, provided that such additional information is kept separately in addition to is dependent area to technical in addition to organisational measures to ensure that the personal information are non attributed to an identified or identifiable natural person". Under the GDPR pseudonymous information are soundless treated equally information relating to an identifiable mortal in addition to hence personal information but pseudonymisation is taken into trouble concern human relationship inwards the application of roughly of its provisions.
Photo credit: Digiquip group
