Marcin
Kotula, Legal Officer at the European Commission
The
views expressed are purely those of the author and may not in any circumstances
be regarded as stating an official position of the European Commission
Background
In
the Breyer case the CJEU was asked by
the German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are
personal data within the meaning of the EU
Data Protection Directive and to what extent they can be stored and
processed to ensure the general operability of websites. Mr Breyer, the applicant in this case,
is a German politician and privacy activist. He visited various websites of the
German federal institutions. The information about the IP addresses of the
visitors (or more precisely of the owners of the devices from which the
websites were visited) as well as the information about the name of the
accessed web page or file, the terms entered in the search fields, the time of
access and the quantity of data transferred is stored in the log files after
the visit.
One
of the aims of the storage of those data is to prevent cyberattacks and enable
prosecution of those who committed them. Mr Breyer did not agree with the
storage of his IP address after the consultation of the websites and in the
proceedings before the German court he requested the German government to cease
this practice. The case eventually went up to the German Supreme Court which
decided to seek interpretative guidance from the CJEU.
The
questions of the German Supreme Court were specifically focussed on dynamic IP
addresses. These are less privacy-invasive than static IP addresses. The
difference between them is that the dynamic ones change with every new
connection to the internet and the static ones do not. IP addresses are
assigned by Internet Service Providers (ISPs) and take the form of a series of
digits. In principle, in itself they do not reveal the identity of a specific
natural person but can be combined with other information to identify the owner
of a device that connects to the internet. Typically such other information is
at the disposal of the ISP. In its Scarlet
Extended judgment of 2011 the CJEU clarified that, from the perspective
of the ISP, IP addresses are personal data. However, in the Breyer case the scenario was different.
The German federal institutions which run the websites only had the IP
addresses and the additional information that is needed to identify the
visitors of those websites was held by the ISPs. The CJEU was asked to clarify
if the German federal institutions (the data controllers) should treat the IP
addresses as personal data even if they are not in possession of this
additional information.
The CJEU's analysis
In its
judgment of 19 October 2016 the CJEU referred to the definition of
personal data in Article 2(a) of the Data Protection Directive 95/46/EC. This
definition covers any information that relates to an individual who is
identifiable, either directly or indirectly. In consequence, information can be
regarded as personal data even if it does not itself identify a specific
person.
Further
indications on how to assess identifiability are given in Recital 26 of the
Directive. This Recital clarifies that when determining if a given person is
identifiable one should look at all the means that the data controller or any
other person are likely to reasonably use to identify the person. On the basis
of those indications the CJEU went on to examine if it is reasonably likely
that the IP addresses held by the German federal institutions will be combined
with the additional information held by the ISPs. The CJEU followed the line
taken on this point in the Opinion
of the Advocate General (AG) and
stated that the combination would not be reasonably likely if it was prohibited
by law or disproportionately difficult in terms of time, cost and man-power. In
the German scenario, the ISPs are not allowed to directly transmit such
information to website providers. On the other hand, in the event of
cyber-attacks the website providers can contact the competent authorities which
then can obtain the additional information from the ISPs. The availability of
this legal channel led the CJEU to conclude that, for the German federal
institutions, the IP addresses of the visitors of their websites are personal
data because these visitors can be identified with the
help of the competent authorities and of the ISPs.
The
CJEU then examined if the German federal institutions can store and process the
IP addresses after the end of the visit of their website to ensure the general
operability of the websites. Under the relevant provisions of the German Law on
telemedia (Telemediengesetz - TMG) the collection and processing of users' data
is allowed only in so far as this is necessary to facilitate and charge for the
specific use of the online service. This does not seem to include the purpose
of ensuring the general operability of the websites. The CJEU was therefore
asked to clarify if the German provisions are compatible with Article 7(f) of
the Data Protection Directive. The latter Article authorises the processing of
personal data when it is necessary for the legitimate interests of the data
controller or of third parties to whom the data are disclosed. This
authorisation does not apply if the legitimate interests are overridden by the
fundamental rights and freedoms of the person whose data is at stake (the data
subject).
Since
the maintenance of the operability of the websites and the prevention of
cyberattacks might ultimately lead to criminal proceedings against the
perpetrators the CJEU contemplated if the processing of IP addresses in such
circumstances is not excluded from the Directive altogether. It looked into
Article 3(2) first indent of the Directive which excludes the processing of
personal data carried out in the context of criminal law activities of the
State. It concluded that in the scenario at hand the German federal
institutions are not acting as State authorities but rather as individuals.
As
far as Article 7(f) is concerned the CJEU referred to its case-law (the
ASNEF judgment of 2011). This
judgment acknowledges that the legal bases for the processing of personal data
that are set out in Article 7 of the Directive are exhaustive and that the
Member States cannot add any new principles or impose additional requirements
in that regard. Under Article 5 of the Directive the Member States can merely
specify the conditions under which the processing is lawful but this needs to
remain within the limits of Article 7 and of the objective of the Directive
which seeks to strike a balance between the free movement of personal data and
the protection of private life.
Against
this background, the CJEU found that by excluding the possibility of processing
to ensure the general operability of the websites the German provisions go
further than just specifying the conditions of lawfulness. For the CJEU, these
provisions should enable the balancing of the objective of ensuring the
operability of the websites with the fundamental rights and freedoms of the
users. Normally this balancing is to be carried out on a case-by-case basis.
The German provisions exclude this possibility by categorically prescribing the
result of this balancing from the outset.
Comments
The
judgment of the CJEU is generally in line with the previous case-law on the
Data Protection Directive which tends to favour a wide interpretation of the
main concepts of the Directive, such as the definitions of personal data and of
processing. This interpretation is also compatible with the view of the Article
29 Data Protection Working Party which (in
its Opinion of 2007) considers IP addresses as personal data with only one
exception, i.e. of addresses allocated in cyber cafes or similar places where
the users of computers are normally anonymous.
The
reply of the CJEU to the second question, i.e. if the IP addresses can be
processed to ensure the general operability of the websites might, to a certain
extent, be open to interpretation. On the one hand, the CJEU acknowledges that
the purpose of ensuring the operability of the website is a legitimate aim of
the German federal institutions under Article 7(f) of the Data Protection
Directive. On the other hand, it reminds that such legitimate aims must be
weighed against the fundamental rights and freedoms of the data subjects. Thus,
it would seem that the provider of the website might not always be allowed to
retain IP addresses without any further considerations. Instead, he might need
to weigh the opposing interests when assessing individual situations. The CJEU
itself does not spell out the criteria which should be taken into account when
carrying out this kind of assessment.
An
interesting suggestion was made in the Opinion of the AG. When analysing the
wording of Recital 26 which reads that the assessment of the identifiability of
a person must look at all the means that might be used not only by the data
controller but also by any other person he comes to the conclusion that the formulation
"any other person" should rather be understood as meaning only
certain third parties which are accessible to the data controller and which the
latter might reasonably approach to obtain the additional information. The CJEU
did not address this issue in its judgment but by analysing only the option
where the German federal institutions turn to the authorities that are
competent to prosecute cyberattacks which then approach the ISPs to obtain the
additional information the Court stayed within the limits of the suggestion put
forward by the AG because these two third parties were either directly or
indirectly accessible to the federal institutions. On the other hand, the
question of the German court specifically mentioned the ISPs as the source of
the additional information and did not ask about other possible scenarios.
Another
interesting point was made in the course of the CJEU's analysis of whether the
processing of IP addresses can be excluded from the Data Protection Directive
as an activity of the State in the area of criminal law. Both the Court and the
AG did not see any room for this exclusion to apply in the case at hand because
the German Federal institutions were not acting in their capacity of public
authorities when they processed the IP addresses. For the CJEU and the AG they
acted as individuals. However, the term "individual" is normally used
as a synonym for "natural person". For example the full titles of EU
and international data protection instruments refer to the "protection of
individuals with regard to the processing of personal data" (Data
Protection Directive 95/46, Regulation
45/2001, Convention
No. 108 of the Council of Europe).
This
might be important in the context of another exclusion under the Data
Protection Directive, namely the exclusion of the processing of personal data by
natural persons in the course of a purely personal or household activity.
Although it seems counterintuitive for a public authority to invoke an
exception that is intended for natural persons it does not seem to be
impossible when looking at the case-law of the CJEU on the exclusions. Out of
the three CJEU cases which dealt with the latter exclusion, two of them (Rynes,
Lindqvist)
related to situations where personal data was indeed processed by a natural
person, but the Satamedia case involved the
processing by a private company.
In Satamedia, the CJEU on the one hand
concluded that Satamedia and Markkinapörssi were private companies and
therefore could not rely on the exception for the State activities in criminal
law. On the other hand, it then analysed if their processing could not be
excluded as a purely personal or household activity and rejected this option
because the companies in question were making the collected data accessible to
an unrestricted number of people. Given the CJEU's and the AG's firm assertion
in the Breyer case that the German
federal institutions were processing IP addresses as individuals and the fact
that the CJEU did not rule out this option in the case of private companies it
seems possible to envisage a public authority invoking the private and
household exclusion. In any event, the substantive conditions attached to the
personal and household exception are rather strict. In all of the three
previous CJEU cases mentioned above this exclusion was rejected because the
data in question was published on the internet, made accessible to an
unrestricted number of people or was outside the private setting of the person
who collected it (videosurveillance of public spaces).
Finally,
the scenario in the Breyer case seems
to be very similar to pseudonymisation of personal data, i.e. a concept
introduced in the new General
Data Protection Regulation (GDPR, which will apply from 25 May 2018) and
defined therein as "the processing
of personal data in such a manner that the personal data can no longer be
attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and
is subject to technical and organisational measures to ensure that the personal
data are not attributed to an identified or identifiable natural person".
Under the GDPR pseudonymous data are nevertheless treated as data relating to
an identifiable person and hence personal data but pseudonymisation is taken
into account in the application of some of its provisions.
Photo
credit: Digiquip group
thank you
ReplyDelete