- The FDPIC classifies dynamic IP addresses as personal data, as they can contribute to the creation of personality profiles and identification.
- The Federal Supreme Court follows a relative determinability approach: The identification possibilities and interests of the data owner or recipient are decisive.
- Legal effect also extends to data collectors and disseminators; data protection law applies if recipient can identify data subject after data transfer.
Are dynamic IP addresses personal data? For the FDPIC (evaluation tools for websites) yes:
From a data protection perspective, many of the known web tracking services are problematic. By analyzing Internet usage, personality profiles within the meaning of the Data Protection Act are obtained under certain circumstances. Even if only the IP address of a user is processed, this is relevant in terms of data protection law, since the IP address is basically to be qualified as personal data.
The Federal Court (i.S. Logistep) on the other hand, takes a relative approach: for determinability, the possibilities and interests of the respective owner (or recipient) of the data must be taken into account.
3.4 Whether information can be linked to a person on the basis of additional data, i.e. whether the information relates to an identifiable person (Art. 3 lit. a FADP), is assessed from the perspective of the respective holder of the information (ROSENTHAL, loc. cit., n. 20 on Art. 3 FADP; WEBER/FERCSIK SCHNYDER, loc. cit., p. 583). In the case of the disclosure of information, it is sufficient if the recipient is able to identify the data subject. In this context, ROSENTHAL cites the example of a newspaper report about the accident of a local politician who has not been named. According to the author’s convincing argumentation, if part of the readership is able to deduce the identity of the person concerned (if necessary on the basis of further research), the publication constitutes a disclosure of personal data from their point of view (ROSENTHAL, loc. cit., n. 30 on Art. 3 DPA; cf. also Art. 3 lit. e DPA). This means for the present case that it is not a prerequisite that the copyright infringers are already identifiable for the respondent. Rather, it is sufficient if they become so for the copyright holders after the relevant data has been handed over. If this is the case (see below), the Data Protection Act also applies to the respondent itself. To decide otherwise would mean to apply the Data Protection Act only to the individual recipients, but not to the person who obtains the data in question and disseminates them. This would run counter to the purpose of the Act.
This approach is now also advocated by the German federal government in a statement on the Breyer case pending before the ECJ: