IP addresses have increasingly important uses for organisations, particularly in the sphere of online behavioural advertising. An IP address is a unique number which is assigned to every device which accesses a network, to identify those devices. Previously, it has been somewhat of a grey area as to whether IP addresses constitute "personal data" for the purposes of the Data Protection Directive 1995 (Directive), and therefore whether organisations using IP addresses would need to comply with the Directive in doing so.
The key aspect of the definition of "personal data" under the Directive is that the data must enable identification of a living individual. Until recently, the general consensus seems to have been that IP addresses, when used on their own and not combined with any other identifying information (such as an individual’s name or email address), did not constitute "personal data". This has certainly been a useful point of view for organisations using IP addresses for the purposes of online behavioural advertising, which have often used this interpretation to escape the requirement to obtain appropriate direct marketing opt-ins. Indeed, a 2010 case (EMI Records & Ors v Eircom Limited) confirmed that IP addresses did not constitute personal data.
The more recent case of Breyer v Federal Republic of Germany may well fly in the face of the 2010 decision. The case is yet to be decided, but the Advocate General (AG) of the Court of Justice of the European Union (CJEU) gave his opinion on 12 May, which is likely to be persuasive.
This case concerns an individual, Patrick Breyer, who sued the German government on the basis that it had stored data about his visits to government websites for longer than necessary. The only data stored by the government about these visits consisted of dynamic IP addresses (which are temporarily assigned by a network when they connect, as opposed to static IP addresses which are permanently assigned to a particular device and which do not change). Breyer argued that these types of dynamic IP addresses, together with the time of access, did constitute "personal data" because they enabled identification of an individual when the access provider (here, the German government) holds additional information about that individual (even though this might not necessarily be used in conjunction with the IP address to actually identify the individual).
The AG agreed with Breyer, turning the 2010 EMI decision on its head. According to the AG, dynamic IP addresses are personal data as long as the access provider holds additional information enabling the identification of an individual. It is worth noting that the AG’s opinion goes on to state that the AG considers that the functioning of "telemedia" constitutes a "legitimate interest" justifying the processing of personal data. Therefore even though the dynamic IP addresses concerned may be considered to be personal data, it may be that there is not considered to have been a breach of the Directive.
The implications of this case will not become clear until the case has been decided, however if the AG’s opinion is followed (which seems likely), it will now be clear that dynamic IP addresses constitute "personal data". This means that organisations that use dynamic IP addresses for the purposes of behavioural advertising will no longer be able to rely on the interpretation that this information is not "personal data" to exempt them from the requirement to obtain consent to such advertising.
The General Data Protection Regulation (GDPR), which is now in force and with which organisations processing personal data must comply from 25 May 2018, specifically includes IP addresses within the definition of "personal data". As such, from 25 May 2018, organisations will need to obtain consent to direct marketing carried out on the basis of IP addresses alone in any case. This is wider than the position set out in the AG’s opinion as it does not distinguish between dynamic and static IP addresses; therefore, the implications of the AG’s opinion are relatively limited in that it confirms the position that will apply from 25 May 2018 in any case. Businesses should be aware that they may need to implement processes to ensure adequate consents are obtained for online behavioural advertising sooner than they might have anticipated.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com