- The Advocate General explains that dynamic IP addresses can be personal data if the telemedia provider has access to additional identification data.
- Ensuring the functionality of a telemedium may constitute a legitimate interest pursuant to Art. 7f Directive 95/46 and justify processing.
- National regulations that exclude the legitimate interest in processing such data contradict the Directive.
- A general interpretation, according to which any information would potentially be personal, is rejected as it would have impracticable consequences.
The Advocate General of the ECJ, Campos Sánchez-Bordona, in Case C‑582/14. its Opinion on the retention of dynamic IP addresses when visiting Internet portals of public institutions. It proposes to answer the questions submitted by the BGH to the ECJ in this context as follows:
1. pursuant to Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, a dynamic IP address used by a user to access the website of a Telemedia provider has called, for the latter, a “personal data”, insofar as an Internet access provider has other additional data at its disposal, which in conjunction with the dynamic IP address allow the identification of the user.
2) Article 7(f) of Directive 95/46 must be interpreted as meaning that the purpose of ensuring the functioning of the telemedium must, in principle, be regarded as a legitimate interest the achievement of which justifies the processing of that personal data, provided that it has been accorded priority over the interest or fundamental rights of the data subject. A national legal provision that does not allow this legitimate interest to be taken into account is not compatible with the aforementioned article.
In contrast, it is not sufficient for the qualification as personal data that any third party could possibly have additional information that enables identification:
(64) Again, reference should be made to the 26th recital of Directive 95/46. The wording “means … which could reasonably be used … by a third party”(17) could be interpreted as meaning that it is sufficient for any third party to be able to obtain additional data (which can be linked to a dynamic IP address in order to identify a person) for such an address to be considered eo ipso as personal data.
65. this broadest possible interpretation would in practice lead to any kind of information being classified as personal datahowever insufficient it would be in itself to be able to determine a user. It will never be possible to rule out with absolute certainty that there is not a third party in possession of additional knowledge that can be linked to the information in question and thus make it possible to determine the identity of a person.