IP Addresses are Identifiable Personal Data - Shock!

Shock! IP Addresses are personal data! Who would have thought it?

Well, anyone who has read the Article 29 Working Party’s Opinion on the concept of Personal Data back in 2007 (and their 2000 Opinion on Privacy on the Internet) would have been unsurprised. Way back then, the A29WP examined the scenario of IP addresses, specifically dynamic IP addresses, and whether they were identifiable personal data or not. They looked at it in the context of whether the data could be directly or indirectly linked to an identifiable individual.

In Example 15 in the 2007 Opinion, the A29WP looked at the processing of IP addresses for the purposes of identifying copyright infringers, and in that case was of the view that a request via the Courts for access to the personal data held by an ISP linked to the allocated IP address would be a “means likely reasonably to be used”, bringing IP addresses within the definition of Personal Data.

They go on to look at scenarios where the identity of the user of the device might not be readily identifiable. They quaintly give the example of an internet café, but we might substitute a coffee shop or public wifi connection for our purposes. In these cases, where no identifying information about the customer is requested, there is no way of identifying the individual using the device the IP address is assigned to. However, they do not leave it at that. They (pragmatically and correctly in my view) point out that an ISP has no way of knowing with absolute certainty whether or not there is identifiable information relating to the IP address which might enable it to be linked to an individual and, as a result “it will have to treat all IP information as personal data, to be on the safe side”.

In the SABAMcase in 2011, the CJEU looked at the issue of processing IP addresses in the context of a bulk surveillance system aimed at detecting and prosecuting instances of copyright infringement. In SABAM, the case was decided on whether the balancing of competing rights was fair, necessary, and proportionate given the proposed injunction to require monitoring of ALL IP addresses. What was not in dispute was that IP addresses constituted personal data. This was a point of common agreement between the parties (see Paragraph 51 of the Court’s ruling).

So, in 2007 and 2011, IP Addresses were seen as being Personal Data within the meaning of Directive 95/46/EC. It’s for this reason that I regularly remind classes and clients that the Irish High Court is at odds with the A29WP and the Directive in its view that IP addresses are not personal data.

The Rynes case, one of the reasons that Mr Rynes was found to be a Data Controller and the scope of the ‘domestic use’ exemption was narrowed was that he made a disclosure of his CCTV footage to the police, with a reasonable expectation that the police would be able to identify the person in the footage. The inimitable Chris Pounder has looked at this at length over on Hawktalk Blog over a year ago, and tees up the discussion of the current “revolution” that appears to have begun in the most recent case on IP addresses, Breyer.

So, what’s the big deal in the Breyer case? Why is it being hailed as a game changer?

A quick look at Breyer

Colour me unsurprised. The Article 29 Working Party discussed legal means in 2007, and the SABAM case essentially hung on whether the legal means to be applied were proportionate. All Breyer adds to the party is an explicit CJEU ruling on the question. That is not the big deal. The big deal follows from that...

The big deal in Breyer (in my view) is that it somewhat dents the idea of Pseudonymisation as a means of putting personal data at ‘arm’s length’ in the context of the GDPR, to allow processing of data that would otherwise be identifiable personal data and might require attention to be paid to the full depth and breadth of the Regulation.

Breyer basically means that organisations may not be able to rely on a carte blanche for processing of pseudonymised data once the GDPR comes into force, if there is a lawful means by which the data can be reidentified to an individual. That the GDPR is already signed into force and now must be considered by the CJEU in framing their rulings should not be ignored here, notwithstanding it not applying (i.e. being enforceable law) until May 2018. [Thanks to @podehaye on Twitter for nudging me on the need to clarify that point]

However, at Castlebridge we’ve been flagging to clients that the governance requirements for managing pseudonymised data are essentially centred on ensuring that access to the “master key” data that can identify people is appropriately restricted and that, given the risk of reidentification by accidental, intentional, or purely statistical means, organisations would be best treating pseudonymised data as if it was “hot” identifiable data. The false safety of pseudonymity has been punctured by Breyer and it will need to be factored into Privacy Impact Assessments and more.

The A29WP actually looked at the issues in pseudonymisation and made some recommendations on approaches that might or might not be identifiable personal data within the meaning of the Directive. That happened in 2007.

Breyer also looked at the question of secondary uses for IP addresses, specifically the use of the data for charging for services post-termination of a connection and the retention of IP addresses in system logs to assist in the detection and investigation of information security threats.

In this case, the CJEU held that a general objective of maintaining operability of services meant that charging for services post-termination (based on the identification of the user via their IP address) was not permitted. But one would suggest that that would be different if the Fair Processing Notice associated with the online service stated that that post-termination charging purpose existed.

However, in Breyer the Court did hold that providers of internet services have a legitimate interest in ensuring continued functioning of websites and online services that goes beyond their publicly accessible functions. It remains to be seen how that will be interpreted in light of the explicit withdrawal under the GDPR of the “Legitimate Interests” processing condition from public authorities in the performance of their tasks (Article 6(f), paragraph 2).

The impact of Breyer: Summarised

Breyer confirms what we already knew, or at least should have suspected. IP addresses are personal data where there is a reasonable and foreseeable means by which the identity of the user of the IP address can be ascertained.

This is consistent with the CJEU ruling in Rynes and with the broad arc of reasoning from the A29WP and the CJEU prior to this point.

The real embuggerance is for those who thought pseudonymised data would get them off the hook. It doesn’t, not where there is a reasonable and legally obtainable means of reidentifying the individual. It does highlight the need for effective governance and controls over pseudonymised data and the advisability of treating pseudonymised data as if it was “live”.

It also means that organisations using IP addresses for purposes which were not disclosed as part of their Privacy Policies and Fair Processing Notices will need to update those to ensure compliance.

We'll also ignore, for now, the implications of errors arising from daylight savings time settings on servers in ISPs given the GDPR's requirement that data be accurate and up to date.