Breyer Ruling, And Dynamic IP Addresses As Personal Data

In October this year, another interesting decision relating to data protection was issued in response to the constant evolution of modern communication technologies, dealing specifically with the definition of personal data pursuant to Article 2(a) of Directive 95/46/EC and its scope. From our perspective, the judgement of the Court of Justice of the European Union in the case C-582/14 Patrick Breyer v. Bundesrepublik Deutschland is not surprising as this decision only articulates a long-time general opinion on the issue of dynamic IP addresses which, in conjunction with other information, may be regarded as personal data. As a matter of fact, this approach was confirmed by an express reference to network identifiers in the definition of personal data under the new general data protection regulation.

In the case-law of the Court of Justice of the European Union ("CJEU") and the European Court of Human Rights ("ECHR"), we can observe a long-term trend due to which the term "personal data" has been constantly broadened to include an internet protocol address (the "IP address"). In the ruling K.U. vs Finland (complaint no. 2872/02), the ECHR expressed its opinion already in 2008 on Finland's breach of its obligation under Article 8 of the European Convention on Human Rights when it failed to provide to the then minor K.U. and his father an effective means by which they could defend themselves against an unknown offender who could have been identified with precision on the basis of his dynamic IP address. The offender placed an ad on internet dating pages in which he, pretending to be a twelve year boy, expressed an interest to meet a boy of the same age. The boy found the ad when a certain man contacted him with a dating offer at his e-mail address. In this case, the internet service provider refused to disclose the identity of the dynamic IP address owner during the investigation, with reference to the then applicable Finish rules governing protection of confidentiality in electronic communications. Although in this case the IP address protection was de facto breached, at the same time, the case evidences that the ECHR regarded the dynamic IP address as information based on which the offender could be identified. In this connection, the ECHR logically remarked that not even freedom of speech and confidentiality of electronic communication is absolute, and may by no means have a detrimental effect on the rights and duties of others.

At the same time, the CJEU provided its opinion on IP addresses in a well-known decision in the case C-70/10 Scarlet Extended (we covered the case here and here), concluding that in a situation in which it is possible to precisely identify the user on the basis...