The initial question for the preliminary ruling requested from the European Court of Justice by Germany’s Supreme Court in the Case c-582/14, Patrick Breyer v. Federal Republic of Germany concerning the interpretation of Article 2-a of Directive 95-46 (definition of personal data) is whether a dynamic IP address collected and stored by a content provider (in this case the web portal) can be deemed a personal data even if the content provider does not have the necessary means on its own to identify the person related to the IP address (1).
In order to respond to this question, the Advocate General M. Campos Sanchez-Bordona in his Opinion published on 12 May 2016 interprets the definition of personal data under Article 2 and Recital 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
Under Recital 26, personal information is any information concerning an identified or identifiable person. A dynamic IP address dose not directly identify a person. Thus the question is whether it can identify a person indirectly. Recital 26 clarifies in this respect that all means reasonably likely to be used either by the controller or by any other person (2) to identify said person should be taken into account.
The key issue is to determine the scope of the key term “reasonably”. The Advocate General has attempted to set forth some criteria regarding this key term.
Test of “reasonableness”:
As the Advocate General states in paragraphs 68-73 of his Opinion, contact with a third party is not reasonable if it is de facto very expensive in terms of human and financial resources, unworkable in practice or unlawful. Contact must confirm to regulations governing the processing of personal data and conditions of access to additional information intended to be used for identification. Also, data held by hypothetical, unknown or unreachable third parties would not meet this test.
Implication of this Opinion:
Even if the European Court of Justice is not legally bound by this Opinion, in practice it often follows the Opinions of its Advocate Generals in its rulings.
In order to determine whether this Opinion can be extended to any other de-identified information, we would need to determine to what extent the specific nature of an IP address differentiates it from other de-identified data. With the crucial role of IP addresses in identification of all devices connected to the internet (3), we cannot deny its specific nature. However, this Opinion would concern other de-identified data while testing whether it is identifiable information that can be deemed personal data under Article 2 and Recital 26 of the Directive. In fact, according to the Opinion, as long as a third party (4) is capable of identifying reasonably identifiable data collected by a controller, this data may be deemed personal data. There is therefore a very real risk extending the scope of personal data.
Moreover, with the development of processing means (5), the expertise and professional skills required for re-identification, and even companies specialized in this matter, it shall become increasingly reasonable and affordable both in terms of financial and human resources to contact the third party processor to obtain the identification. Thus, in the near future this criteria will cease to be an obstacle to the extension of the scope of personal data. The “lawful and legitimate third party contact” criteria however can still be a winning card regarding the “reasonableness” test.
A further point is that even if the Advocate General considered the German government in this case as a simple content provider (website operator) so that it would fall within the scope of the Directive 95, thus avoiding the exception of Article 3 paragraph 2 section 1(6), we cannot ignore the potential risk of violation of personal data protection by any given government being by nature in a dominant position compared to that of individuals and private companies which process personal data for limited purposes mostly for only economic interest. In other words, it can be much easier for a government to obtain even reasonably the identifying information. Indeed, a multifunctional government can easily use information obtained by a legitimate and reasonable means for other purposes which might not be as legitimate. So the risk is high and it can be logical to interpret the “reasonableness” in a much more extensive way with regards to such data controllers. This is why Mr. Breyer, who was very concerned about the potential risks related to his IP address storage by a public website operator, has brought proceeding before the court initially against the German government and not against the other websites or content providers who are suspected also of collecting and storing IP addresses, regardless of their purposes.
This is thus highly recommended that the interpretation of “reasonableness” be based on the potential risk of privacy violation that a data controller would pose to “data subject” with respect to the purposes the former pursue. In the presence of a potential risk, it would be crucial to interpret this term restrictively in order to limit the extensive scope of personal data. This would call for a case by case approach based on a balancing test of legitimate interests.
(1) A third party Internet Access Provider has access to additional data which, in connection with the dynamic IP address, enables user identification.
(2) In this case, the Internet Access Provider.
(3) If the IP address is dynamic, the time of connection to the internet would be required in order to identify the devices connected to the internet.
(4) Processor working on behalf of the controller.
(5) This was also a matter of concern for the Advocate General which motivated him to deem a dynamic IP address as personal data in order to prevent potential risks in the future related to the development of re-identification technologies, through which every single piece of data can be potentially identifiable.
(6) “This directive shall not apply to
the processing of personal data: – in the course of an activity which falls outside the scope of Community law (…) and the activities of the state in areas of criminal law”.