The ECJ has ruled with Judgment in the case of Breyer of October 19, 2016 on dynamic IP addresses stated the following:
In the light of the foregoing, the answer to the first question must be that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address stored by a provider of online media services when a person accesses a website which that provider makes generally accessible constitutes, for the provider, a personal data item within the meaning of that provision, if he/she has legal means that allow him/her to determine the person in question on the basis of the additional information that the Internet access provider of this person has.
We have reported on this. This ruling was based on a referral by the German Federal Court of Justice (BGH). The BGH subsequently continued the proceedings and ruled on the basis of the ECJ’s decision (Ref. VI ZR 135/13 of May 16, 2017). The BGH ruled as follows on dynamic IP addresses (the proceedings also concerned a question of the German Telemedia Act (TMG):
a) The dynamic IP address stored by a provider of online media services when a person accesses an Internet page that this provider makes generally accessible constitutes a personal data for the provider within the meaning of Section 12 (1) and (2) TMG in conjunction with Section 3 (1) BDSG (continuation of ECJ NJW 2016, 3579).
The related recitals are as follows:
23 The possibility of linking a dynamic IP address to the additional information held by the internet access provider constitutes a means which may reasonably be used to identify the person concerned. Although the referring court pointed out in its order for reference that German law does not permit the Internet access provider to communicate directly to the provider of online media services the additional information necessary to identify the person concerned, but it appears that, subject to the checks to be carried out by the referring court in this regard, there are legal possibilities for the provider of online media services to contact the competent authority, in particular in the event of cyberattacks, so that the latter takes the necessary steps to obtain the information in question from the Internet access provider and to initiate prosecution. The provider of online media services thus apparently had means that could reasonably be used to have the person in question identified on the basis of the stored IP addresses with the help of third parties, namely the competent authority and the Internet access provider.
24 cc) On this basis, the definition of “personal data” in Section 12 (1) and (2) of the German Telemedia Act (TMG) in conjunction with Section 3 (1) of the German Federal Data Protection Act (BDSG) is interpreted in conformity with the Directive to the effect that a Dynamic IP addresswhich is stored by a provider of online media services when a person accesses an Internet page that this provider makes generally accessible, for the provider constitutes a personal data within the meaning of the aforementioned provision.
25 This is because the defendant has legal means that can reasonably be used to have the person concerned identified on the basis of the stored IP addresses with the help of third parties, namely the competent authority and the Internet access provider (see Court of Justice, loc. cit., para. 47).
26 The defendant may – in the case of injury that has already occurred. file a criminal complaint with the law enforcement authorities; in the event of imminent harm, it may involve the authorities responsible for preventing danger. Pursuant to Section 100j (2) and (1) of the Code of Criminal Procedure (StPO), Section 113 of the Telecommunications Act (cf. BVerfGE 130, 151), the authorities responsible for the prosecution of criminal offences or administrative offences may for this purpose demand information from Internet access providers if certain conditions are metThe same shall apply to the authorities responsible for averting threats to public safety or order, the federal and state authorities for the protection of the constitution, the Military Counter-Intelligence Service and the Federal Intelligence Service for averting threats to public safety or order or for the performance of the statutory duties of the aforementioned authorities. The data to be included in a disclosure may also be determined on the basis of an Internet protocol address assigned at a specific time. This allows the information obtained to be combined and the user to be identified (cf. Court of Justice loc. cit., marginal no. 49 et seq.).
Accordingly, the Federal Court of Justice generally considers dynamic IP addresses to be personal, irrespective of special circumstances. In particular, it does not require that there be indications of a situation in which the aforementioned procedural possibilities become specifically relevant. There are doubts as to whether this is in line with the requirements of the ECJ (cf. the Comment by RA Thomas Stadler).
In Switzerland, the following still applies Logistep case law. According to it, too, the means of identification available to the respective holder and/or recipient are decisive in each case; however, it places much more weight on the circumstances of the individual case:
that the necessity of the action of a third party is irrelevant as long as the overall effort of the client for the determination of the person concerned is not so great that, according to general life experience, it could no longer be expected that the client would take it upon himself (cf. E. 3.1 above). This must be assessed against the background of the specific circumstances of the individual case. It is therefore not possible to make an abstract determination as to whether or not (especially in the case of dynamic) IP addresses constitute personal data.
Dynamic IP addresses are thus still not generally personal for the Internet provider in Switzerland, but only in exceptional cases (unless additional information is collected that allows identification, and subject to the proviso that an IP address identifies the access provider, who is a data subject under the law still in force). Whether the legal situation in Europe is different may be doubted (even after the GDPR).