Marcin Kotula, Legal Officer at the European Commission

The opinions presented are solely those of the author and should not be interpreted as representing the European Commission’s official stance.

Background

The Breyer case saw the German Supreme Court (Bundesgerichtshof) request clarification from the Court of Justice of the European Union (CJEU) on whether dynamic IP addresses constitute personal data under the EU Data Protection Directive and to what extent their storage and processing is permissible for maintaining website functionality. The case involved Mr Breyer, a German politician and privacy advocate, who accessed various German federal institution websites. During his visits, information about visitor IP addresses (specifically, the devices used) was recorded in log files, alongside details such as accessed pages, search queries, access times, and data transferred.

Storing this data aimed to counter cyberattacks and facilitate the prosecution of perpetrators. Mr. Breyer opposed the storage of his IP address after accessing these sites. His legal challenge, requesting the German government halt this practice, ultimately reached the German Supreme Court, which then sought guidance from the CJEU.

The German Supreme Court’s questions centered on dynamic IP addresses, which, unlike static IP addresses, change with each internet connection, making them less privacy-invasive. Assigned by Internet Service Providers (ISPs) as a series of digits, IP addresses alone don’t directly identify individuals. However, when combined with additional information held by ISPs, they can be used to identify the owner of an internet-connected device. A 2011 CJEU ruling, the Scarlet Extended judgment, determined that ISPs handle IP addresses as personal data. However, the Breyer case differed: the German federal institutions operating the websites only possessed the IP addresses, while the identifying information was held by the ISPs. The CJEU was tasked with determining whether these institutions, acting as data controllers, should treat IP addresses as personal data despite lacking this additional information.

The CJEU’s analysis

In its judgment issued on October 19, 2016, the CJEU referenced Article 2(a) of the Data Protection Directive 95/46/EC, defining personal data as any information relating to an identifiable individual, directly or indirectly. Therefore, even if information doesn’t explicitly identify a person, it can still be classified as personal data.

Recital 26 of the Directive offers further guidance on determining identifiability, stating that all reasonably likely means employed by the data controller or any other party to identify the individual should be considered. Based on this, the CJEU assessed the likelihood of the German federal institutions combining the IP addresses they held with the additional information held by ISPs. Aligning with the Opinion of the Advocate General  (AG), the CJEU determined this combination was unlikely if prohibited by law or excessively challenging in terms of time, cost, and resources. Within the German context, direct transmission of such information from ISPs to website providers is prohibited. However, in cases of cyberattacks, website providers can contact relevant authorities, who can then obtain the additional information from ISPs. This legal channel led the CJEU to conclude that the German federal institutions must treat the IP addresses of their website visitors as personal data, as identification is possible through collaboration with competent authorities and ISPs.

The CJEU then examined if storing and processing IP addresses post-visit for website operability purposes was permissible for the German federal institutions. Relevant provisions within the German Law on telemedia (Telemediengesetz - TMG) allow user data collection and processing solely for facilitating and billing specific online service use, seemingly excluding general website operability. The CJEU was asked to clarify if these German provisions aligned with Article 7(f) of the Data Protection Directive, which permits personal data processing necessary for the legitimate interests of the data controller or third parties receiving the data, unless overridden by the data subject’s fundamental rights and freedoms.

As maintaining website operability and preventing cyberattacks could lead to criminal proceedings against perpetrators, the CJEU considered if processing IP addresses in such scenarios falls outside the Directive’s scope entirely. Examining Article 3(2) first indent, which excludes personal data processing within the framework of State criminal law activities, the CJEU concluded that in this scenario, the German federal institutions weren’t acting as State authorities but rather as individuals.

Regarding Article 7(f), the CJEU referred to its 2011 ASNEF judgment, which recognizes the legal bases for personal data processing outlined in Article 7 as exhaustive. Member States cannot introduce new principles or additional requirements in this regard. Article 5 of the Directive allows Member States to specify the conditions for lawful processing, but this must remain within Article 7’s boundaries and the Directive’s objective of balancing the free movement of personal data with privacy protection.

Based on this, the CJEU found that the German provisions, by prohibiting processing for general website operability, exceeded mere specification of lawful conditions. The CJEU asserted that these provisions should allow for balancing the goal of website operability against the fundamental rights and freedoms of users. This balancing typically occurs on a case-by-case basis. However, the German provisions preemptively dictate the outcome of this balancing.

Comments

The CJEU’s judgment aligns with established case-law on the Data Protection Directive, which leans towards broad interpretations of key concepts like ‘personal data’ and ‘processing.’ This interpretation also aligns with the Article 29 Data Protection Working Party, which, in its 2007 Opinion, considers IP addresses as personal data, with the sole exception of addresses assigned in environments like cybercafés where users are typically anonymous.

The CJEU’s response regarding IP address processing for website operability leaves room for interpretation. It acknowledges ensuring website functionality as a legitimate aim for German federal institutions under Article 7(f) of the Data Protection Directive. However, it emphasizes the need to weigh such aims against data subjects’ fundamental rights and freedoms. Therefore, retaining IP addresses without further consideration might not always be permissible for website providers. Instead, they might need to balance competing interests on a case-by-case basis. The CJEU refrains from specifying criteria for this assessment.

The AG’s Opinion offered a noteworthy suggestion. Analyzing Recital 26’s wording, which mandates considering means employed by both the data controller and “any other person” to assess identifiability, the AG proposes interpreting “any other person” as specific third parties accessible to and reasonably approachable by the data controller for additional information. The CJEU didn’t explicitly address this in its judgment. However, by focusing solely on the scenario where German federal institutions collaborate with authorities responsible for prosecuting cyberattacks, who then contact ISPs for additional information, the Court remained within the AG’s suggestion, as these third parties were either directly or indirectly accessible. It’s worth noting that the German court’s question specifically mentioned ISPs as the source of additional information, without exploring other scenarios.

Another significant point arose during the CJEU’s analysis of whether IP address processing qualifies as a State activity within criminal law, potentially exempting it from the Data Protection Directive. Both the CJEU and AG dismissed this exemption’s applicability, as the German federal institutions weren’t acting in their public authority capacity while processing IP addresses. Instead, they acted as “individuals.” However, the term “individual” is often synonymous with “natural person,” as seen in data protection instruments like the Data Protection Directive 95/46, Regulation 45/2001, and Convention No. 108 of the Council of Europe, which all refer to protecting “individuals” in relation to personal data processing.

This distinction is relevant to another exception within the Data Protection Directive: processing by natural persons for purely personal or household activities. While seemingly counterintuitive for a public authority to invoke an exception intended for natural persons, it might not be implausible considering CJEU case-law. Of the three CJEU cases addressing this exception, two (_Rynes_, Lindqvist) involved natural persons processing data. However, the Satamedia case concerned processing by a private company.

In Satamedia, the CJEU ruled that Satamedia and Markkinapörssi, as private companies, couldn’t rely on the State activities in criminal law exception. However, the court then examined whether their processing qualified as a purely personal or household activity, ultimately rejecting this possibility due to the companies making collected data publicly available. Considering the CJEU and AG’s assertion in Breyer that the German federal institutions processed IP addresses as individuals, and the CJEU not ruling out this option for private companies, it seems conceivable for a public authority to invoke the personal and household exemption. However, this exemption’s requirements are stringent. In all three CJEU cases mentioned, the exemption was rejected due to data being published online, made widely accessible, or falling outside the collector’s private sphere (e.g., public space video surveillance).

Lastly, the Breyer case closely mirrors personal data pseudonymization, a concept introduced in the new General Data Protection Regulation (GDPR) applicable from May 25, 2018. Pseudonymization is defined as processing personal data to prevent attribution to a specific data subject without additional information, which is stored separately and subject to technical and organizational measures to prevent re-identification. Under GDPR, pseudonymized data is still considered personal data, but pseudonymization is factored into the application of certain provisions.

Photo credit: Digiquip group