The ECJ today, Octo­ber 19, 2016, published its judgment i.S. Brey­er c. Ger­ma­ny (Case C‑582/14). In it, the ECJ sta­tes that a rela­ti­ve approach applies to the qua­li­fi­ca­ti­on of dyna­mic IP addres­ses, i.e. for the pro­vi­der of an Inter­net ser­vice, such an IP address is only per­so­nal data if the pro­vi­der is able to deter­mi­ne the iden­ti­ty of the con­nec­tion owner.

The judgment was issued fol­lo­wing a refer­ral by the Ger­man Fede­ral Court of Justi­ce (BGH), which had refer­red the fol­lo­wing que­sti­ons to the ECJ (pro­ce­e­dings VI ZR 135/13):

Tem­p­la­te questions

1. Is Artic­le 2(a) of Direc­ti­ve 95/46 to be inter­pre­ted as mea­ning that an IP address which a pro­vi­der of online media ser­vices stores in con­nec­tion with access to its inter­net site, for this alre­a­dy con­sti­tu­tes a per­so­nal data when a third par­ty (here: access pro­vi­der) has the addi­tio­nal know­ledge requi­red to iden­ti­fy the data subject?
2. Does Artic­le 7(f) of Direc­ti­ve 95/46 pre­clude a pro­vi­si­on of natio­nal law under which the pro­vi­der of online media ser­vices may coll­ect and use a user’s per­so­nal data wit­hout the user’s con­sent only to the ext­ent that this is neces­sa­ry to enable the spe­ci­fic use of the tele­me­di­um by the respec­ti­ve user and to sett­le the account, and under which the pur­po­se of ensu­ring the gene­ral func­tio­ning of the tele­me­di­um can­not justi­fy the use bey­ond the end of the respec­ti­ve use?

We have tal­ked in the same mat­ter about the State­ment of the Ger­man Fede­ral Govern­ment and about the Opi­ni­on of the Advo­ca­te Gene­ral reports.

Con­side­ra­ti­ons

Initi­al situa­ti­on: con­side­ra­ti­ons of the BGH on the abso­lu­te or rela­ti­ve approach

The ECJ sum­ma­ri­zes the BGH’s gui­dance on the qua­li­fi­ca­ti­on of dyna­mic IP addres­ses as follows:

23 The refer­ring court sta­tes that the dyna­mic IP addres­ses of Mr. Breyer’s com­pu­ter stored by the Fede­ral Repu­blic of Ger­ma­ny, acting as a pro­vi­der of online media ser­vices, are to be regard­ed as indi­vi­du­al data on Mr. Breyer’s fac­tu­al cir­cum­stances, at least in the con­text of the other data stored in the log files, sin­ce they pro­vi­de infor­ma­ti­on on the fact that he acce­s­sed cer­tain pages or files via the Inter­net at cer­tain times.

24 Howe­ver, the data stored in this way did not in its­elf allow any direct con­clu­si­on to be drawn about Mr. Breyer’s iden­ti­ty. The ope­ra­tors of the web­sites at issue in the main pro­ce­e­dings would be able to deter­mi­ne the iden­ti­ty of Mr Brey­er only if his inter­net access pro­vi­der pro­vi­ded them with infor­ma­ti­on con­cer­ning the iden­ti­ty of that user.. The clas­si­fi­ca­ti­on of this data as “per­so­nal” the­r­e­fo­re depends on whe­ther Mr. Breyer’s iden­ti­ty could have been determined.

25 The­re is a con­tro­ver­sy in the doc­tri­ne as to whe­ther an “objec­ti­ve” or a “rela­ti­ve” cri­ter­ion should be used to deter­mi­ne whe­ther a per­son is iden­ti­fia­ble. The appli­ca­ti­on of an “objec­ti­ve” cri­ter­ion would have the con­se­quence that data such as the IP addres­ses at issue in the main pro­ce­e­dings could be regard­ed as per­so­nal after the web­sites in que­sti­on had been acce­s­sed, even if only a third par­ty was able to estab­lish the iden­ti­ty of the data sub­ject. In the pre­sent case, the third par­ty was Mr. Breyer’s Inter­net access pro­vi­der, which had stored addi­tio­nal data enab­ling Mr. Brey­er to be iden­ti­fi­ed on the basis of the IP addres­ses. Accor­ding to a ‘rela­ti­ve’ cri­ter­ion, that data could be regard­ed as per­so­nal for a body such as Mr Breyer’s inter­net access pro­vi­der, sin­ce it made it pos­si­ble to iden­ti­fy the user pre­cis­e­ly […], whe­re­as it was not per­so­nal for ano­ther body such as the ope­ra­tor of the web­sites acce­s­sed by Mr Brey­er, sin­ce, in so far as Mr Brey­er did not pro­vi­de any per­so­nal details while acce­s­sing tho­se web­sites, that ope­ra­tor did not have the infor­ma­ti­on neces­sa­ry to iden­ti­fy him wit­hout dis­pro­por­tio­na­te effort.

Con­side­ra­ti­ons of the ECJ on the qua­li­fi­ca­ti­on as a per­so­nal date

The ECJ starts from the legal defi­ni­ti­on of the per­so­nal data accor­ding to the cur­rent Direc­ti­ve 95/46 from. Accor­ding to this, a per­so­nal data is infor­ma­ti­on that refers to an “iden­ti­fi­ed or indi­rect­ly iden­ti­fia­ble per­son”. Accor­ding to reci­tal 26 of the Direc­ti­ve, “indi­rect­ly” means that account must be taken of all the means likely rea­son­ab­ly to be used by the con­trol­ler or by a third par­ty to iden­ti­fy the per­son concerned.

For the que­sti­on of inte­rest here, the ECJ con­clu­des the following:

49 In the light of all the fore­go­ing, the ans­wer to the first que­sti­on must be that Artic­le 2(a) of Direc­ti­ve 95/46 must be inter­pre­ted as mea­ning that a Dyna­mic IP address, which is stored by a pro­vi­der of online media ser­vices when a per­son acce­s­ses a web­site that this pro­vi­der makes gene­ral­ly acce­s­si­ble, con­sti­tu­tes per­so­nal data for the pro­vi­der within the mea­ning of the afo­re­men­tio­ned pro­vi­si­on if the pro­vi­der has legal means to have the per­son con­cer­ned iden­ti­fi­ed on the basis of the addi­tio­nal infor­ma­ti­on held by the Inter­net access pro­vi­der of that per­son.

Pro memo­ria: In Switz­er­land, a rela­ti­ve approach also applies under the cur­rent DPA, as the BGer in the Logi­step decis­i­on has held.

The second que­sti­on referred

With regard to the second que­sti­on, the ECJ sta­tes that the sto­rage of the IP address by the pro­vi­der is not only per­mit­ted under Artic­le 7(f) of the Direc­ti­ve if it is neces­sa­ry for the per­for­mance of the con­tract with the user. Rather, other pur­po­ses may also justi­fy sto­rage in indi­vi­du­al cases. This exclu­des § 15 Para. 1 TMG Howe­ver, this is not the case. In this respect, this regu­la­ti­on is too strict and incom­pa­ti­ble with the directive.