31 October 2016 – On 19 October 2016, upon request for a preliminary ruling, the Court of Justice of the European Union (CJEU) held that dynamic IP addresses constitute personal data for media services providers (such as website operators), when it is possible for them to combine the data they hold with data held by internet service providers so as to identify the data subject.

The German Federal Court of Justice (Bundesgerichtshof) asked the CJEU to render a preliminary ruling in the case of Mr Patrick Breyer v. the Federal Republic of Germany. Mr Breyer accessed several websites operated by the German government, which recorded logfiles containing, among other information, the dynamic IP addresses attributed to Mr Breyer by his internet service provider (ISP) when accessing the websites. This data alone was however insufficient for the website operator to identify Mr Breyer. In order for the website operator to identify Mr Breyer, it would require additional information from Mr Breyer’s internet service provider (ISP).

In its ruling (available here), the CJEU considered that this did not prevent the qualification of dynamic IP addresses collected and stored by the website operator as personal data within the meaning of the European Data Protection Directive (Directive 95/46). The Court indeed held that, even though German law does not allow the ISP to directly transmit additional data necessary for the identification of a data subject to a website operator, legal channels exist allowing the website operator, in the event of cyberattacks, to contact the competent authority in order to obtain the complementary data from the ISP. Furthermore, the CJEU held that such means may likely reasonably be used by the website operator to identify the data subject on the basis of the dynamic IP addresses it has collected and stored.

The outcome of the CJEU’s ruling can be compared to the Swiss Federal Supreme Court’s Logistep decision (see News dated 3 February 2011 and 30 November 2010). In the latter case, the Swiss Federal Supreme Court held that dynamic IP addresses collected by a service provider on behalf of copyright holders qualified as personal data even though the copyright holders/service provider could not by themselves identify the persons behind the dynamic IP addresses. In order to do so, a criminal complaint would have to be filed with the competent authorities.

On 25 May 2018, the European General Data Protection Regulation (GDPR) will enter into force. It will, under certain conditions, also apply to data handlers based in Switzerland (see News dated 6 May 2016, 20 April 2016 and 18 December 2015). The GDPR explicitly qualifies online identifiers (such as IP addresses, cookie identifiers, etc.) as personal data (see article 4 (1) GDPR and Recital 30 GDPR). It is not fully clear, based on the wording of article 4 (1) GDPR and Recital 30, whether dynamic IP addresses will per se always qualify as personal data under the GDPR. Alternatively, this may only be the case if, in accordance with the CJEU’s ruling, there are legal channels which allow someone who “only” knows the dynamic IP address to obtain the complementary information from an ISP and that such legal channels will reasonably likely be used for such purposes. We give preference to the second opinion. In our view, the reasoning of the CJEU will continue to apply even after the entry into force of the GDPR.