Marcin Kotula, Legal Officer at the European Commission
The views expressed are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission
In the Breyer case the CJEU was asked by the German Supreme Court (Bundesgerichtshof) if dynamic IP addresses are personal data within the meaning of the EU Data Protection Directive and to what extent they can be stored and processed to ensure the general operability of websites. Mr Breyer, the applicant in this case, is a German politician and privacy activist. He visited various websites of the German federal institutions. The information about the IP addresses of the visitors (or more precisely of the owners of the devices from which the websites were visited) as well as the information about the name of the accessed web page or file, the terms entered in the search fields, the time of access and the quantity of data transferred is stored in the log files after the visit.
One of the aims of the storage of those data is to prevent cyberattacks and enable prosecution of those who committed them. Mr Breyer did not agree with the storage of his IP address after the consultation of the websites and in the proceedings before the German court he requested the German government to cease this practice. The case eventually went up to the German Supreme Court which decided to seek interpretative guidance from the CJEU.
The questions of the German Supreme Court were specifically focussed on dynamic IP addresses. These are less privacy-invasive than static IP addresses. The difference between them is that the dynamic ones change with every new connection to the internet and the static ones do not. IP addresses are assigned by Internet Service Providers (ISPs) and take the form of a series of digits. In principle, in itself they do not reveal the identity of a specific natural person but can be combined with other information to identify the owner of a device that connects to the internet. Typically such other information is at the disposal of the ISP. In its Scarlet Extended judgment of 2011 the CJEU clarified that, from the perspective of the ISP, IP addresses are personal data. However, in the Breyer case the scenario was different. The German federal institutions which run the websites only had the IP addresses and the additional information that is needed to identify the visitors of those websites was held by the ISPs. The CJEU was asked to clarify if the German federal institutions (the data controllers) should treat the IP addresses as personal data even if they are not in possession of this additional information.
The CJEU's analysis
In its judgment of 19 October 2016 the CJEU referred to the definition of personal data in Article 2(a) of the Data Protection Directive 95/46/EC. This definition covers any information that relates to an individual who is identifiable, either directly or indirectly. In consequence, information can be regarded as personal data even if it does not itself identify a specific person.
Further indications on how to assess identifiability are given in Recital 26 of the Directive. This Recital clarifies that when determining if a given person is identifiable one should look at all the means that the data controller or any other person are likely to reasonably use to identify the person. On the basis of those indications the CJEU went on to examine if it is reasonably likely that the IP addresses held by the German federal institutions will be combined with the additional information held by the ISPs. The CJEU followed the line taken on this point in the Opinion of the Advocate General (AG) and stated that the combination would not be reasonably likely if it was prohibited by law or disproportionately difficult in terms of time, cost and man-power. In the German scenario, the ISPs are not allowed to directly transmit such information to website providers. On the other hand, in the event of cyber-attacks the website providers can contact the competent authorities which then can obtain the additional information from the ISPs. The availability of this legal channel led the CJEU to conclude that, for the German federal institutions, the IP addresses of the visitors of their websites are personal data because these visitors can be identified with the help of the competent authorities and of the ISPs.
The CJEU then examined if the German federal institutions can store and process the IP addresses after the end of the visit of their website to ensure the general operability of the websites. Under the relevant provisions of the German Law on telemedia (Telemediengesetz - TMG) the collection and processing of users' data is allowed only in so far as this is necessary to facilitate and charge for the specific use of the online service. This does not seem to include the purpose of ensuring the general operability of the websites. The CJEU was therefore asked to clarify if the German provisions are compatible with Article 7(f) of the Data Protection Directive. The latter Article authorises the processing of personal data when it is necessary for the legitimate interests of the data controller or of third parties to whom the data are disclosed. This authorisation does not apply if the legitimate interests are overridden by the fundamental rights and freedoms of the person whose data is at stake (the data subject).
Since the maintenance of the operability of the websites and the prevention of cyberattacks might ultimately lead to criminal proceedings against the perpetrators the CJEU contemplated if the processing of IP addresses in such circumstances is not excluded from the Directive altogether. It looked into Article 3(2) first indent of the Directive which excludes the processing of personal data carried out in the context of criminal law activities of the State. It concluded that in the scenario at hand the German federal institutions are not acting as State authorities but rather as individuals.
As far as Article 7(f) is concerned the CJEU referred to its case-law (the ASNEF judgment of 2011). This judgment acknowledges that the legal bases for the processing of personal data that are set out in Article 7 of the Directive are exhaustive and that the Member States cannot add any new principles or impose additional requirements in that regard. Under Article 5 of the Directive the Member States can merely specify the conditions under which the processing is lawful but this needs to remain within the limits of Article 7 and of the objective of the Directive which seeks to strike a balance between the free movement of personal data and the protection of private life.
Against this background, the CJEU found that by excluding the possibility of processing to ensure the general operability of the websites the German provisions go further than just specifying the conditions of lawfulness. For the CJEU, these provisions should enable the balancing of the objective of ensuring the operability of the websites with the fundamental rights and freedoms of the users. Normally this balancing is to be carried out on a case-by-case basis. The German provisions exclude this possibility by categorically prescribing the result of this balancing from the outset.
The judgment of the CJEU is generally in line with the previous case-law on the Data Protection Directive which tends to favour a wide interpretation of the main concepts of the Directive, such as the definitions of personal data and of processing. This interpretation is also compatible with the view of the Article 29 Data Protection Working Party which (in its Opinion of 2007) considers IP addresses as personal data with only one exception, i.e. of addresses allocated in cyber cafes or similar places where the users of computers are normally anonymous.
The reply of the CJEU to the second question, i.e. if the IP addresses can be processed to ensure the general operability of the websites might, to a certain extent, be open to interpretation. On the one hand, the CJEU acknowledges that the purpose of ensuring the operability of the website is a legitimate aim of the German federal institutions under Article 7(f) of the Data Protection Directive. On the other hand, it reminds that such legitimate aims must be weighed against the fundamental rights and freedoms of the data subjects. Thus, it would seem that the provider of the website might not always be allowed to retain IP addresses without any further considerations. Instead, he might need to weigh the opposing interests when assessing individual situations. The CJEU itself does not spell out the criteria which should be taken into account when carrying out this kind of assessment.
An interesting suggestion was made in the Opinion of the AG. When analysing the wording of Recital 26 which reads that the assessment of the identifiability of a person must look at all the means that might be used not only by the data controller but also by any other person he comes to the conclusion that the formulation "any other person" should rather be understood as meaning only certain third parties which are accessible to the data controller and which the latter might reasonably approach to obtain the additional information. The CJEU did not address this issue in its judgment but by analysing only the option where the German federal institutions turn to the authorities that are competent to prosecute cyberattacks which then approach the ISPs to obtain the additional information the Court stayed within the limits of the suggestion put forward by the AG because these two third parties were either directly or indirectly accessible to the federal institutions. On the other hand, the question of the German court specifically mentioned the ISPs as the source of the additional information and did not ask about other possible scenarios.
Another interesting point was made in the course of the CJEU's analysis of whether the processing of IP addresses can be excluded from the Data Protection Directive as an activity of the State in the area of criminal law. Both the Court and the AG did not see any room for this exclusion to apply in the case at hand because the German Federal institutions were not acting in their capacity of public authorities when they processed the IP addresses. For the CJEU and the AG they acted as individuals. However, the term "individual" is normally used as a synonym for "natural person". For example the full titles of EU and international data protection instruments refer to the "protection of individuals with regard to the processing of personal data" (Data Protection Directive 95/46, Regulation 45/2001, Convention No. 108 of the Council of Europe).
This might be important in the context of another exclusion under the Data Protection Directive, namely the exclusion of the processing of personal data by natural persons in the course of a purely personal or household activity. Although it seems counterintuitive for a public authority to invoke an exception that is intended for natural persons it does not seem to be impossible when looking at the case-law of the CJEU on the exclusions. Out of the three CJEU cases which dealt with the latter exclusion, two of them (Rynes, Lindqvist) related to situations where personal data was indeed processed by a natural person, but the Satamedia case involved the processing by a private company.
In Satamedia, the CJEU on the one hand concluded that Satamedia and Markkinapörssi were private companies and therefore could not rely on the exception for the State activities in criminal law. On the other hand, it then analysed if their processing could not be excluded as a purely personal or household activity and rejected this option because the companies in question were making the collected data accessible to an unrestricted number of people. Given the CJEU's and the AG's firm assertion in the Breyer case that the German federal institutions were processing IP addresses as individuals and the fact that the CJEU did not rule out this option in the case of private companies it seems possible to envisage a public authority invoking the private and household exclusion. In any event, the substantive conditions attached to the personal and household exception are rather strict. In all of the three previous CJEU cases mentioned above this exclusion was rejected because the data in question was published on the internet, made accessible to an unrestricted number of people or was outside the private setting of the person who collected it (videosurveillance of public spaces).
Finally, the scenario in the Breyer case seems to be very similar to pseudonymisation of personal data, i.e. a concept introduced in the new General Data Protection Regulation (GDPR, which will apply from 25 May 2018) and defined therein as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person". Under the GDPR pseudonymous data are nevertheless treated as data relating to an identifiable person and hence personal data but pseudonymisation is taken into account in the application of some of its provisions.
Photo credit: Digiquip group