The ECJ today, October 19, 2016, published its judgment i.S. Breyer c. Germany (Case C‑582/14). In it, the ECJ states that a relative approach applies to the qualification of dynamic IP addresses, i.e. for the provider of an Internet service, such an IP address is only personal data if the provider is able to determine the identity of the connection owner.
The judgment was issued following a referral by the German Federal Court of Justice (BGH), which had referred the following questions to the ECJ (proceedings VI ZR 135/13):
- Is Article 2(a) of Directive 95/46 to be interpreted as meaning that an IP address which a provider of online media services stores in connection with access to its internet site, for this already constitutes a personal data when a third party (here: access provider) has the additional knowledge required to identify the data subject?
- Does Article 7(f) of Directive 95/46 preclude a provision of national law under which the provider of online media services may collect and use a user’s personal data without the user’s consent only to the extent that this is necessary to enable the specific use of the telemedium by the respective user and to settle the account, and under which the purpose of ensuring the general functioning of the telemedium cannot justify the use beyond the end of the respective use?
Initial situation: considerations of the BGH on the absolute or relative approach
The ECJ summarizes the BGH’s guidance on the qualification of dynamic IP addresses as follows:
23 The referring court states that the dynamic IP addresses of Mr. Breyer’s computer stored by the Federal Republic of Germany, acting as a provider of online media services, are to be regarded as individual data on Mr. Breyer’s factual circumstances, at least in the context of the other data stored in the log files, since they provide information on the fact that he accessed certain pages or files via the Internet at certain times.
24 However, the data stored in this way did not in itself allow any direct conclusion to be drawn about Mr. Breyer’s identity. The operators of the websites at issue in the main proceedings would be able to determine the identity of Mr Breyer only if his internet access provider provided them with information concerning the identity of that user.. The classification of this data as “personal” therefore depends on whether Mr. Breyer’s identity could have been determined.
25 There is a controversy in the doctrine as to whether an “objective” or a “relative” criterion should be used to determine whether a person is identifiable. The application of an “objective” criterion would have the consequence that data such as the IP addresses at issue in the main proceedings could be regarded as personal after the websites in question had been accessed, even if only a third party was able to establish the identity of the data subject. In the present case, the third party was Mr. Breyer’s Internet access provider, which had stored additional data enabling Mr. Breyer to be identified on the basis of the IP addresses. According to a ‘relative’ criterion, that data could be regarded as personal for a body such as Mr Breyer’s internet access provider, since it made it possible to identify the user precisely […], whereas it was not personal for another body such as the operator of the websites accessed by Mr Breyer, since, in so far as Mr Breyer did not provide any personal details while accessing those websites, that operator did not have the information necessary to identify him without disproportionate effort.
Considerations of the ECJ on the qualification as a personal date
The ECJ starts from the legal definition of the personal data according to the current Directive 95/46 from. According to this, a personal data is information that refers to an “identified or indirectly identifiable person”. According to recital 26 of the Directive, “indirectly” means that account must be taken of all the means likely reasonably to be used by the controller or by a third party to identify the person concerned.
For the question of interest here, the ECJ concludes the following:
49 In the light of all the foregoing, the answer to the first question must be that Article 2(a) of Directive 95/46 must be interpreted as meaning that a Dynamic IP address, which is stored by a provider of online media services when a person accesses a website that this provider makes generally accessible, constitutes personal data for the provider within the meaning of the aforementioned provision if the provider has legal means to have the person concerned identified on the basis of the additional information held by the Internet access provider of that person.
Pro memoria: In Switzerland, a relative approach also applies under the current DPA, as the BGer in the Logistep decision has held.
The second question referred
With regard to the second question, the ECJ states that the storage of the IP address by the provider is not only permitted under Article 7(f) of the Directive if it is necessary for the performance of the contract with the user. Rather, other purposes may also justify storage in individual cases. This excludes § 15 Para. 1 TMG However, this is not the case. In this respect, this regulation is too strict and incompatible with the directive.