We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Are IP addresses personal data?

21 June 2016

In the EU personal data is defined as any information relating to an identified or identifiable natural person and in order to decide if a person is identifiable account should be taken of “all the means likely reasonably to be used …. to identify the said person”.

On the 12th May 2016 the EU Advocate General issued an Opinion in case C-582/14 Patrick Breyer v Germany which is before the European Court of Justice. The Advocate General considers that dynamic IP addresses qualifies as personal data notwithstanding that a website operator cannot identify the user behind the IP address because internet access providers will have additional data which when linked to the IP address identifies webpage users. If dynamic IP addresses are personal data then a further question, which considered by the Attorney General, was whether or not it is lawful to retain dynamic IP addresses without the consent of the data subject on the basis that it is a “legitimate interest” of the internet service provider concerned.

When individuals access online services their IP address is used for a variety of purposes by websites, internet service providers and internet access providers and those IP addresses are usually stored for risk management and cyber security purposes. The EU Data Protection Directive requires that personal data shall be kept no longer than is necessary and there is still uncertainty as to whether the retention of IP addresses is fair and lawful. It now seems that the retention of dynamic IP addresses is lawful.

The opinion of the Advocate General is not binding on the decision of the Court but is highly influential.

The current case has been brought by Patrick Breyer who claims that his IP address should not be retained longer than the period for which he accesses a particular online service.

The Opinion above assists internet infrastructure businesses in using personal data for corporate governance purposes and is an example of where data subject rights in relation to personal data may be overridden by internet governance requirements.

This article was written by Robert Bond.

For more information, please contact Robert Bond on +44 (0)20 7427 6660 or robert.bond@crsblaw.com.