Home Knowledge CJEU Rules Dynamic IP Addresses May Constitute Personal Data

CJEU Rules Dynamic IP Addresses May Constitute Personal Data

October 28, 2016

In a decision that may have farreaching implications for website operators, the Court of Justice of theEuropean Union (CJEU) has ruled that dynamic IP addresses can constitutepersonal data, even where the individual can only be identified usingadditional data held by a third party (normally the internet service providerthat assigns the IP address).


Patrick Breyer, a German politician,sought an injunction preventing the Federal Republic of Germany from storing IPaddresses of visitors to their websites for cyber securitypurposes.

The case had reached the highestcourt in Germany, which referred two questions to theCJEU:

  1. Whether a dynamic IP address held by an online media service provider could constitute personal data in circumstances where the additional data necessary to identify the data subject can only be provided by the internet service provider
  2. Whether the provision of German law that precluded a justification based on “legitimate interest” to hold data (e.g. to prevent cyberattacks) was inconsistent with Article 7 of the Data Protection Directive (the “Directive”)

Court ruling and futureimplications

In response to these questions, theCJEU ruled that:

  1. A dynamic IP address may constitute personal data if the site operator has legal means enabling it to identify the visitor with the help of additional information provided by a third party
  2. The provision of German law that limited the scope of the “legitimate interest” justification by providing that it only applied to the specific use of the site by the data subject is inconsistent with Article 7 of the Directive (which creates the justification)

The decision is likely to presentchallenges to online media service providers. If all IP addresses canconstitute personal data, site operators will now need to balance thefundamental rights of data subjects who access their sites with the legitimateinterest in preventing cyberattacks. This is likely to result in additionalrequirements for site operators such as carrying out privacy impactassessments.

Follow us on Twitter @WFIDEA

Contributed by JohnMagee

Back to Legal News