Data Protection |  Jul 18, 2017

Can your IP disclose your ID?

Authors: Dr. Andrew J. Zammit and Ms. Nicole Cannataci

An “IP”, or “internet protocol” is a unique series of numbers allocated to each and every device connected to a network, including and most notable the internet. Similar to your physical  home address to which postal articles are addressed and delivered, internet traffic is delivered to your computer’s address i.e. your IP address.

Whilst there is no question that your home address represents “personally identifiable information” i.e. information capable of identifying you as an individual, is it also fair to say that your online IP address could also be considered as being “personally identifiable information”, making it fall within the remit of data protection law?

In order to properly assess this possibility one must first look at the 2 major types of IPs, namely “static IP” and “dynamic IP”. A static IP is one that doesn’t change, and is permanently assigned to you by your Internet Service Provider (ISP)[1]. On the other hand, dynamic IP addresses are those IPs which are dynamically assigned to your device by your ISP each time it connects to the internet. This means that your device may not be allocated the same IP address which it had previously when it was last connected[2].

The constant renewing of IP addresses present in dynamic IPs enhances the safety afforded by them. Yet, despite this sense of security, can you as an online user be personally traced and/or identified through your IP address?

In a 2016 judgment by the CJEU in the names of Patrick Breyer v. Bundesrepublik Deutschland[3], the Court confirmed just this: when accompanied by certain additional information which can be acquired through third parties (ISPs), dynamic IP addresses are considered to constitute personal data as they can lead to the identification of a website user. This case revolved around a German Pirate Party citizen, Breyer, who brought an action before the German courts seeking to bar websites from registering and storing his IP[4]. The case was eventually referred to the CJEU, which had to focus on answering 2 major questions, namely whether;

  1. “A dynamic IP address registered by an online media services provider is personal data within the meaning of Article 2 (a) of the EU Data Protection Directive, where only a 3rd party (ISP) has the additional information necessary to identify the website user; and
  2. The ‘legitimate interest’ under Article 7(f) of the Data Protection Directive (DPD) ran contract to the German Telemedia Act – the latter stated that personal data must be deleted at the end of the consultation period, unless the data is required for billing purposes”[5]

The CJEU address both points positively and ruled that with respect to the online media provider, user data such as a dynamic IP is considered to be personal data only when the operator has the illegal means which allows it to identify the user concerned, with additional information about that user, which is held by the ISP.

In conclusion, the CJEU stated that, “if a business collects and processes these IP addresses, but has no legal means of linking those IPs to the identities of the relevant users, then IPs aren’t considered as personal data”[6]. On the other hand, if businesses have enough information to bridge the gap between an IP address and an individual’s identity, then that IP address is considered to fall under the category of personally identifiable information[7]. Put in more simple terms, in certain cases, your dynamic IP address can constitute personal data, which is protected by data protection law and, if breached, will be subject to the same sanctions which are made available to other standard breaches of storage and protection of personal data.

This judgment serves as a firm warning to online media services providers in Europe that extra attention must be given to the merging of a user’s IP address and any ancillary information made available by the ISP. For internet users, on the other hand, it has confirmed the existence of a degree of protection and safety which should not be underestimated, particularly as Europe gears up to implementing the provisions of the General Data Protection Regulation in mid-2018.

For further information on how GVZH Advocates can assist you with your Data Protection and Privacy requirements, kindly contact us here.

[1] See the full article at http://whatismyipaddress.com/dynamic-static

[2] See the full article at https://www.iplocation.net/static-vs-dynamic-ip-address

[3] Read the full judgment at http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN

[4] Read the full article at https://arstechnica.co.uk/tech-policy/2016/10/eu-dynamic-static-ip-personal-data/

[5] See the full article at https://www.huntonprivacyblog.com/2016/10/19/cjeu-rules-dynamic-ip-addresses-personal-data/

[6] See the full article at https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

[7] See the full article at https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

Print this Page