11-03-2016Article

Update Data Protection 15/2016

The long-awaited judgment of the ECJ on the personal connection of IP addresses

ECJ: Dynamic IP addresses are personal data for website operators (and others?); their storage can however be justified in the context of the "legitimate interest".

The long-awaited answer to one of the most central questions of data protection law was decided by the ECJ through judgment dated October 19, 2016. Like the Advocate General in May, the ECJ decided that dynamic IP addresses (IP = Internet Protocol) must be regarded as personal, if the responsible body in Germany has principally a legal possibility of accessing the "comparative data" of the Internet provider of the party concerned. With regard to the question submitted, the BGH (German Federal Supreme Court) informed the ECJ that, under the regulations of the TKG (German Telecommunications Act), the Internet provider is not permitted to pass the information for identification of an Internet connection to third parties. In this respect, the ECJ simply referred to the fact that, in cases of hacking and with recourse to investigation authorities, the matter would probably have to be assessed differently. According to the ECJ in its argumentation covering just a few paragraphs, the possibility "evidently" exists of obtaining the information with the help of responsible authorities. Nevertheless, the Federal Supreme Court should again check this under German law.

The background

Concerning the background to the judgment, we refer to our Newsletter on the argumentation of the Advocate General in this matter. This is again summarized here as follows: an Internet provider assigns new dynamic IP addresses to private persons on an individual basis each time they connect to the Internet. Without the additional knowledge of the Internet provider that has assigned the IP address, it is very difficult (without reconciliation with further data sources) to ascertain which IP address is assigned to which Internet connection (whether the owner of the connection is then also simultaneously the person being sought must be doubted anyway in times of extensive private WIFI use and the prevalence of "Freifunk").

Objective theory of the personal connection

One can therefore argue as to whether a dynamic IP address is to be regarded as personal data. There is very extensive agreement in both case law and literature that all data that can be assigned to a person with the help of a certain amount of research is to be regarded as personal. Admittedly, there is disagreement concerning the extent of the research work. The data protection supervisory authorities traditionally assume that it is sufficient if any third party has the additional knowledge for identification of a person. In this respect, there is also talk of an objective theory of the personal connection, since, according to this interpretation, it is sufficient if the necessary additional knowledge for identification of a person is objectively available (somewhere in the world).

As a rule no entitlement to information under civil law

The ECJ bases its argumentation on whether the website operator has a  legal possibility of obtaining the provider's data for reconciliation of the IP addresses. Cases in which there is a direct civil-law entitlement to information against an Internet provider are few and far between. In the event of violation of copyright by a visitor to a website, the website operator could refer to Section 101 UrhG (Copyright Act). However, particularly in the case of hacking set out by the ECJ, there is no such entitlement to information.

The state investigation authorities as extended arm of each body with responsibility under data protection law?

Overall therefore, the ECJ leans clearly towards the objective theory, as it regards information as personal even if it can only be assigned to a person with the help of a state investigation authority. The ECJ narrows down this broad interpretation only through the following consideration: IP addresses should only be personal if, given an ex-ante consideration and a reasonable suspicion of a criminal offense, a responsible body reasonably evaluates precisely the log files for investigation purposes, and the Internet provider is contacted with the help of the public prosecution service. This is indeed the case with web servers, as these are typically potential targets of hacker attacks. If the ex-ante consideration comes to the conclusion that IP addresses, stored in log files or elsewhere, are not to be used for criminal investigations, the IP addresses are not treated as personal, as emphasized by some initial comments on the ECJ judgment. However, the degree of probability of recourse to investigation authorities that triggers the personal connection with an ex-ante consideration is therefore by no means clear. If an entire IT system is attacked, IT forensic scientists will search through all available log files of each individual server, clients in mobile end devices in smart devices etc. for traces of the attacker, and will hand IP addresses found to the police or public prosecution service for further investigation. De-facto, there are likely to be hardly any log files or data records that, given ex-ante consideration, are so unlikely to be used for investigating a criminal offense that the absence of a personal connection can be assumed from the outset. In any case and to be on the safe side, a personal connection of IP addresses should always be assumed in practice.

However, the shift towards the objective theory must also be taken into account even over and above the IP addresses. Whenever information is stored in future, consideration will have to be given as to whether this information could be assigned to a person in the event of visualized, reasonable research by the public prosecution service - to which recourse would plausibly be made in rare individual cases. It is currently still hardly foreseeable which cases this will concern in future.

Omnipresence of IP addresses

The overwhelming share of global data interchange is via so-called IP packages, with each individual IP package including the IP address of the respective addressee and sender. For this reason alone, the judgment must be observed in all areas of digital communication. In the opinion of the ECJ, each transfer of data in the Internet, via Connected Cars, Smart Home, in the Smart Factory via Smart Meters and in the entire Internet of Things, should be treated as personal in order to be on the safe side. The volume of information that will be considered non-personal in future will therefore decrease considerably.

Will numerous data processing transactions now be carried out without an element of consent?

This is not the case, as the ECJ has built something of a golden bridge through its reply to the second question submitted. Because, according to the ECJ, the processing of personal data (such as IP addresses) can be justified for the purpose of ensuring the functional capacities of online services as per Article 7 Lit. f. Directive 95/46/EC, i.e. in accordance with the "legitimate interest" of the responsible body. Conflicting national legal standards (for example, in the case at hand the standards of the TMG (Teleservices Act) that only permit the storage of an IP address without declaration of consent for the period of use) stand in the way of the Directive. This is likely to be transferable to a large number of processes that are necessarily dependent on the transfer and storage of IP addresses. To what extent however there is a fundamental "necessity" in each individual case and how long storage can be considered "necessary", will require increased auditing and documentation in future.

New Deal in data protection law?

Even if the ECJ does not say so specifically, this shifts the overall tectonics of data protection law: on the one hand, almost every item of information will have to be considered as personal data in future and, to compensate for this, it will be possible to argue more frequently than in the past by claiming a legitimate interest in the storage of data. Whether this establishes itself in practice as the "New Deal" in data protection law remains to be seen.

Obligations to inform and informed declarations of consent

What will now however definitely change in practice is the scope of the information to be passed to the user (for example in the context of a data protection statement) on the processing of personal data. In addition, there will be a need for significantly closer checking of whether the user has been given sufficient information on the storage of personal data in advance of a declaration of consent. Previously, people were well advised to report extensively on the creation of logged data in the data protection statement of a website. This now has to be rectified in a number of app-controlled devices in the "Internet of Things", irrespective of how much technical data is stored by a modern fully automated coffee machine, a digital thermostat or a SmartTV (and how insensitive this is). Every item of information is transferred in the form of an IP package and will therefore have to be treated as personal. In this respect, the future will show which customary practices will establish themselves as regards the formulation of data protection statements and declarations of consent. There is particular volatility in terms of the obligations to inform because, under the General Data Protection Regulation that will take effect on May 25, 2018 (see our general Newsletter on the GDPR), fines of up to 20 million EUR or up to 4 percent of global annual sales can be imposed for violations of the obligation of transparency (i.e. the explanation of all personal data collected) - see our Newsletter on fines under the GDPR.

Right to information

Every person affected, i.e. the person on whom data is collected, has a right to information concerning the personal data stored on him/her. The problem created by the ECJ judgment in terms of such an entitlement to information was not considered at all by either the ECJ or the Advocate General: as the entitlement to information applies to all data stored on a person and the IP address will per se have to be regarded as personal data in future for security reasons, a website operator, host or operator of any other smart software or hardware would have to inform an inquiring user which IP addresses he can assign to the user. This reveals a dilemma of the ECJ judgment: as long as there are no indications of a criminal offense, it will hardly be possible for an average company to ascertain which connection owner and which person an IP address is to be assigned to. Even given the help of Big-Data analysis software that could analyze things such as the footprints of the inquirer in social media, assignment to a person will not succeed in many cases (to what extent the use of such software would in turn be justified is another matter).

What will happen next? Back-door for the Federal Supreme Court?

Implementation of the question submitted through a Federal Supreme Court judgment will hopefully result in further substantiation. Fundamentally speaking, there are argumentation approaches for avoiding the dilemma outlined above. According to the ECJ, the personal connection of an IP address is affirmed if the website operator "has legal means at his disposal enabling him to determine the person concerned on the basis of the supplementary information, available to this person's Internet access provider".

Fundamentally speaking, the Federal Supreme Court could simply argue on the basis that there is no civil-law entitlement to information against Internet providers under German law. Accordingly, the dynamic IP address would not be virtually "automatic" and personal in every individual case. As a result, the question submitted would be implemented.

However, the ECJ referred to the procurement of information "by the responsible authorities". The Federal Supreme Court should therefore read this answer from the ECJ more as follows, in order to allow a differentiated consideration for Germany: only in the few individual cases in which facts justify the assumption of a criminal offense, with the result that the research options of the public prosecution service are available, does personal data also exist. On the one hand, the fact that the Federal Supreme Court has already simply established in the question submitted that the Internet access provider is fundamentally not permitted to forward the personal information behind an IP address, would speak in favor of this. On the other hand, investigation by the public prosecution service would also only begin if facts establish a reasonable suspicion. Additionally, it is only in such cases that fulfilment of an entitlement of the party concerned to information would automatically be possible. Nevertheless, it becomes clear "between the lines" that the ECJ favors a different interpretation approach. The ECJ states: "A provider of online media services thus evidently has means that can be used in reasonable manner to have the person concerned determined on the basis of the stored IP addresses - with the help of third parties, i.e. the responsible authorities and the Internet access provider." It remains to be seen how the Federal Supreme Court utilizes this reply. Until further notice, all IP addresses should be treated as personal in order to avoid risks.

Example of disharmonization

The fact that the ECJ makes the question dependent on the circumstances under national law is regrettable in the context of harmonization of data protection law. The ECJ sets out its own argumentation in just three paragraphs (before this, reference is made only to the facts, the course of procedure and the relevant standards). As can be seen above, the extremely brief argumentation of the ECJ is open to interpretation, something that could be used against the background of greatly differing data protection mentalities in Europe. Given the identical-content definition of personal data in the General Data Protection Regulation, this will also have an effect on the period after May 25, 2018 - the date on which the GDPR takes effect. To avoid risks, the assumption should be made until further notice and for the whole of Europe that an IP address constitutes personal data.
Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.