Privacy & Information Security Law Blog

On October 19, 2016, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland, following the Opinion of Advocate General Manuel Campos Sánchez-Bordona on May 12, 2016. The CJEU followed the Opinion of the Advocate General and declared that a dynamic IP address registered by a website operator must be treated as personal data by that operator to the extent that the user's Internet service provider ("ISP") has - and may provide - additional data that in combination with the IP address that would allow for the identification of the user.

The case arose in 2008 when a German citizen brought an action before the German courts seeking an injunction to prevent websites, operated by the Federal German Institutions, from registering and storing his IP addresses. Most of these websites store information on all access operations in logfiles (including the IP address of the computer from which access was sought, and the date and time when a website was accessed) for the purposes of preventing cyber attacks and making it possible to prosecute ‘pirates.’ The German citizen’s claim was initially rejected by the court of first instance. The claim was granted in part, however, by the court of appeals. Subsequently, both parties appealed the decision to the German Federal Court of Justice.

The German Federal Court of Justice has suspended the proceedings and referred the two following questions to the CJEU:

• Whether a dynamic IP address (i.e., an IP address which is different each time there is a new connection to the Internet) registered by an online media services provider (here, the German institutions) is personal data within the meaning of Article 2(a) of the EU Data Protection Directive, when only a third party (the ISP) has the additional information necessary to identify the website user.
• Whether the ‘legitimate interest’ legal basis under Article 7(f) of the EU Data Protection Directive is contrary to a provision of the German Telemedia Act, which is interpreted by most German legal commentators as preventing the storage of personal data after the consultation of online media in order to guarantee the security and continued proper functioning of those media. According to that interpretation, personal data must be deleted at the end of the consultation period, unless the data is required for billing purposes.

The CJEU gave a positive reply to both questions. In regards to the first question, the CJEU noted that there appears to be legal channels in Germany enabling the online media services provider to contact the competent authority – in particular, in the event of cyber attacks – so that the competent authority may take the steps necessary to obtain from the ISP additional information on the website user and subsequently bring criminal proceedings. In other words, the online media services provider would have the means, which may likely reasonably be used, to identify the website user – with the assistance of third parties – on the basis of the IP addresses stored. Consequently, the CJEU ruled that the dynamic IP address of a website user is personal data, with respect to the website operator, if that operator has the legal means allowing it to identify the user concerned with additional information about that user which is held by the ISP.

In regards to the second question, the CJEU ruled that the German legislation, as interpreted by most legal commentators, excludes the possibility to perform the ‘legitimate interest’ test (i.e., in the present case, to balance the objective of ensuring the general operability of the online media against the interests or fundamental rights of website users). In this respect, the CJEU emphasized that German Federal Institutions, which provide online media services, may have a legitimate interest in ensuring the continued functioning of their websites and thus in storing certain user personal data in order to protect themselves against cyber attacks.

The German Federal Court of Justice is now required to decide on the dispute itself.

View the full text of the judgment of the CJEU. For a summary, please see the press release of the CJEU.