On 19 October 2016, the European Court of Justice (the “ECJ“) published its judgment in Case 582/14 – Patrick Breyer v Germany, in which it held that IP addresses are personal data in certain circumstances.
Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
Unsurprisingly, an IP address is not considered as a personal data per se but may become one if the controller has reasonable means to obtain additional information enabling the identification of the person behind the IP address whether it is obtained directly or indirectly (i.e. through a third party).
In that case, the website owner was a public authority having the legal means to ask the user’s internet service provider to provide additional information about him enabling the user’s identification. Therefore dynamic IP address was regarded as a personal data with regard to this specific website owner.
In other cases, the website owner should collect additional information from somewhere else for the IP address to be regarded as a personal data (e.g. the user sign in while browsing the website etc.). The simple fact that an Internet Service Provider owns the necessary additional information to identify someone behind an IP address does not make IP address a personal data with regard to any website owner. It is a case by case analysis.