Dynamic IP-addresses can be "personal data" says EU Court of Justice
Patrick Van Eecke
Partner at Cooley LLP - Head of Cooley’s European cyber/data/privacy practice and co-chair of its global c/d/p practice. Professor European IT Law at University of Antwerp
Today, the European Court of Justice decided on the question whether or not dynamic IP-addresses constitute "personal data" in the sense of the European data protection legislation (Case C-582/14).
The full text of the judgment can be found here
The court confirms that the dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet service provider.
This means that in such cases website operators do need to act in compliance with data protection legislation when processing such dynamic IP-addresses. The operator of a website may however have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks, and does not need to ask for consent from the website visitor.
The ruling is relevant for any website collecting dynamic IP-addresses. The Court leaves room for deciding in each case whether or not dynamic IP-addresses form personal data.
In practice, this means that the following criteria should be used when deciding if dynamic IP-addresses are personal data in a specific situation:
- It is not necessary that the dynamic IP addresses alone allows the data subject to be identified, if additional data could help to identify the person.
- It is not required that all the information enabling the identification of the data subject must be in the hands of one person.
- It must be decided in each case whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject
- That would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant
No doubt, and as always with EU Court judgements, food for further consideration!
Sharing my curation of the uncertainties around the IP address https://www.pearltrees.com/idigital/ip-address-private-data/id15947140
Co-founder | Entrepreneur | Chief Hacking Officer | Certified Professional Penetration Tester (eCPPT) | Web Application Penetration Tester (eWPT) | Ethical Hacker | Cloud Security Specialist | Shift Left Security
8 å¹´This is a big problem for everybody that has a website. All incoming requests log the source IP in a clear-text logfile. This is default behavior of the webserver.
Advising clients on data issues in many sectors - providing insights and guidance - Partner and DWF Regional Data Protection and Cyber Security Leader
8 å¹´Thank you Patrick, another important judgment on the scope of "personal data".