The Court of Justice of the EU (CJEU) has recently ruled that dynamic IP addresses can constitute personal data where a website operator has the ability to combine dynamic IP addresses with personal data received from third parties.
The case arose as a consequence of a German privacy activist, Patrick Breyer, bringing proceedings regarding the retention of his IP address by German government websites. The decision primarily concerned the question of whether dynamic IP addresses should be considered ‘personal data’ within the meaning of Directive 95/46/EC (Directive), where those IP addresses are not combined with any other identifying information. The Directive is implemented in the UK by the Data Protection Act 1998 (DPA) and will be replaced by the General Data Protection Regulation (GDPR) from 25 May 2018.
Personal data is defined in the Directive and the DPA as any data which relates to an identified or identifiable living individual. It was common ground in Breyer that dynamic IP addresses, when used by a website operator rather than an internet service provider and when not combined with any additional identifying information, did not relate to an ‘identified’ individual. This is because, provided that a website user does not identify him or herself during a website visit, the website operator itself cannot identify the user solely from a dynamic IP address.
The CJEU's view was that dynamic IP addresses will be personal data if a website operator has a legal means by which to obtain further information about the user from the internet service provider (ISP). For example, if an operator were using dynamic IP addresses to investigate cyber-attacks and could ask the ISP for additional information about users to assist in the investigation, the dynamic IP addresses would constitute personal data.
The practical effect of this decision is that dynamic IP addresses stored by organisations are likely to constitute personal data, since additional identifying information could, in theory, be obtained from the ISP. However we consider that, in practice, the processing of dynamic IP addresses is only likely to pose a practical risk if they are, in fact, combined with other personal data which renders the individual identifiable and are used for processing activities.
It is worth noting that the definition of ‘personal data’ under the GDPR explicitly includes online identifiers. Therefore, it is likely that even without the Breyer case, dynamic IP addresses would have been considered personal data from 25 May 2018 in any case.
Following the ruling, it is important that businesses consider the following issues:
Is the business aware how dynamic IP addresses are used, analysed and combined with any other identifiable user data? Are dynamic IP addresses stored in their full form and how long are they stored for?
Pending implementation of the GDPR, businesses will need to fulfil one of the conditions set out in Schedule 2 of the DPA in relation to the processing of dynamic IP addresses. Which Schedule 2 condition is most appropriate is likely to depend on the type of processing being carried out. A business may be able to rely on the ‘legitimate interests’ condition if it can show that its processing of dynamic IP addresses is necessary for the purposes of its legitimate interests, such as guaranteeing the security and proper functioning of the website or protecting against cyber-attacks (provided this cannot be fulfilled without the use of dynamic IP addresses).
However, if the business were to carry out more privacy intrusive activities, such as profiling individuals using dynamic IP addresses, it is less likely to be able to rely on the condition. In this situation, it may need to obtain the user's specific, informed and freely-given consent to the use of dynamic IP addresses.
Static IP addresses are normally used for marketing purposes, as this usually requires the website to be able to store and remember the same IP address for a device from a previous visit. However, businesses should ensure that they do not use dynamic IP addresses for direct or targeted marketing without the appropriate consents.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.