Dynamic IP addresses can be personal data, CJEU says

The Advocate General of the Court of Justice of the European Union (CJEU) issued an opinion yesterday in the case Patrick Breyer v. Federal Republic of Germany which suggests that dynamic Internet Protocol (IP) addresses fall within the EU Data Protection Directive. The case is about whether the Federal Republic of Germany may save the IP addresses of visitors to its websites. The essential question is whether the Data Protection Directive should be interpreted to mean that an IP address stored, in connection with a visit to a website, will constitute personal data if a third party has additional data which will make it possible to re-identify the individual.

The Advocate General of the CJEU says that if dynamic IP addresses were not regarded as personal data from the point of view of the operator of an Internet service, they could retain them indefinitely and at any time ask the Internet Service Provider (usually phone companies) for additional data in order to combine them with the dynamic IP address.

The court is yet to give its final decision, but often the Advocate General’s view is followed. The German government’s view was that the IP addresses would not be personal data. The European Commission pointed out that retaining IP addresses and the additional information may make identification possible in case of an attack against the network – a purpose IP addresses are retained for in the first place.

The English translation has not yet been published, but several other language versions, including German, Spanish, French and Italian.