In a ruling dated 19 October 2016 (ref.: C582/14), the ECJ found that dynamic IP addresses constitute personal data whenever the website host that processed the IP address has the legal means to obtain additional information from the provider to identify the person concerned.
Internet providers assign IP addresses to their users so that connected devices can be identified. Dynamic IP addresses are reassigned for each new internet connection, making it impossible for third parties to identify users directly.
Objective standard applies
The ruling is particularly noteworthy because the ECJ does not make the decision contingent on whether the information needed to identify the person is in the hands of a single party processing the data (the controller). Instead, it is sufficient for the controller to have the legal means to obtain the information from a third party, regardless of whether these means are actually employed.
Thus, an objective standard applies when identifying whether there is a reference to the person.
Personal data in the EU
The EU General Data Protection Regulation (GDPR), which will apply in all EU states from May 2018, also provides for an objective standard.
In Article 4(1), the GDPR defines personal data as any information relating to an identified or identifiable natural person. Identification can take place indirectly – by reference to an identifier, for example.
A determination of whether a person is identifiable should take into account all the means reasonably likely to be used (Recital 26 GDPR).
Therefore, a person is identifiable if the additional information needed for identification is accessible and obtainable with a certain effort. This includes the possibility that the information must be obtained from a third party using legal means.
Implications for day-to-day business
Based on the ECJ’s ruling and in view of the GDPR, more and more data is likely to be classified as personal data, likely including identifiers or log-in information that can be related objectively to individual persons.
Such data can be processed only with statutory authorization or consent. This is particularly relevant for day-to-day business because companies will have to apply data protection regulations more often.
In response, companies should prepare for a broader application of the regulations and should familiarize themselves with the more stringent requirements of the GDPR.