by Ezekiel Aborishade, LL.M Candidate,
Leibniz University Hannover, Germany
Background
Despite the fact that a dynamic internet protocol address ('IP
address') is inherently an identification number, its qualification as personal
data or non-personal data under Article 2 (a) of Directive 95/46/EC[1] had generated quite many controversies.[2]
But in the cyberage[3],
where the very existence of persons seem to be invariably connected to the
internet, there is a need for certainty regarding the legal status of a dynamic
IP address. To say the least, legal certainty in the context of a dynamic IP
address is 'important for many business models in a data-driven economy and for
preserving data subjects’ privacy with regard to today’s monitoring and
profiling possibilities – both of government institutions and of high-tech
companies.'[4]
Certainly, data controllers[5]
such as providers of services on the internet have a stake in the dynamic IP
addresses of the devices used by visitors to access their websites. If such
addresses were classified as personal data, subject to relevant exceptions,[6]
a controller has always to obtain the informed consent of data subjects prior
to processing.[7]
This represents a practical problem for website owners as data subjects might
maliciously withhold or withdraw consent.[8]
Such state of affairs would have a negative impact on one of the objectives of
the Data Protection Directive (DPD) - which is to ensure free data flows.[9]
Thus, 'consent' lies at the heart of the debate about the scope of Article 2(a)
DPD, vis a vis dynamic IP addresses.
In that connection, Article 7(f) DPD provides a respite for website
owners. It legitimizes processing operations carried out without the consent of
data subjects. The only condition attached to enjoying that exception is that
"processing is necessary for the purposes of the legitimate interests pursued
by the controller".[10]
Howbeit, the question needs to be asked as to the circumstances in which
processing a dynamic IP address (assuming it were personal data) would be
deemed necessary for the purposes of the legitimate interests of website
owners.
On 19 October, 2016 the Court
of Justice of the European Union (CJEU) answered that question when (within the
framework of Articles 2(a) and 7(f) DPD) it tackled some of the vexing issues
concerning dynamic IP addresses. Before discussing the decision[11]
of the CJEU, a brief description of the subject matter (dynamic IP addresses)
will first be undertaken in order to lay a technical foundation which served as
a springboard for the ruling.[12]
Technical
Nature of a Dynamic IP Address
A dynamic IP address is a sequence of numbers[13]
assigned to a device for identification and communication purposes.[14]
Generally, when a device connects to an electronic communications network (the
internet), a permanent or temporary identification number is assigned to it by
an internet service provider ('ISP'). The temporary identification number is
known as a dynamic IP address, because it changes with each new connection to
the internet. This is in contrast with the permanent identification number
which remains the same, hence the name static IP address. In more elementary
terms,
[w]hen you sign up with your ISP, your ISP either assigns you a static
IP address or a dynamic IP address depending on the contract. If you need to
setup a web server or an email service, you'll need a static IP address. If you
are just browsing an Internet (sic), you may just get by with a dynamic IP
address.[15]
In the same vein,
internet service providers allocate to the computers of internet users
either a ‘static’ IP address or a ‘dynamic’ IP address, that is to say an IP
address which changes each time there is a new connection to the internet.
Unlike static IP addresses, dynamic IP addresses do not enable a link to be
established, through files accessible to the public, between a given computer
and the physical connection to the network used by the internet service
provider.[16]
For purposes of clarity and emphasis, a dynamic IP address is not an
identification number in the sense that the owner of a given device could be
identified by a mere look at the number. Rather, it must be combined with
additional data (such as those kept by an ISP) in order to identify the owner
of said device.[17]
Build up to
CJEU Decision in Patrick Breyer v Bundesrepublik
Deutschland (Germany)
There has been much discussion of whether IP
addresses are personal data, and the majority opinion considers them to be
always personal data when they are fixed [static] IP addresses that identify a
specific computer. If they are movable [dynamic] IP addresses that are assigned
by the access provider every time the user logs in, then they are personal data
only if the service provider has enough information to actually identify the
user, which will usually be the case.[18]
Whether dynamic IP addresses fall under the definition of personal
data under Article 2(a) DPD is the baseline test for their eligibility for
protection as such. The CJEU in the case of Scarlet Extended v SABAM had
referred to this question in passing when it stated that IP addresses are
personal data 'because they allow those users to be precisely identified.'[19]
However, it is clear that the CJEU made that statement in the context
of an ISP which had in its possession, the IP addresses and other personal data
of its clients (making precise identification both possible and effortless). As
a result, the above judicial opinion has been put into context by the
relativists who argue, that IP addresses are not to be treated as personal data
in every given scenario. They posit that the character of an entity (data
controller), together with the (dis)proportionate effort with which it could
obtain additional data necessary for the identification of a data subject, must
be taken into account for purposes of bringing a particular IP address within
the meaning of Article 2(a).[20]
'Therefore, only realistic chances of combining data in order to identify an
individual are taken into account – and not highly theoretical identification
risks.'[21] This line of thinking, which favours a case by case
treatment of dynamic IP addresses, is thus summarized by the CJEU:
According to a ‘relative’ criterion, such data [IP address] may be
regarded as personal data in relation to an entity such as Mr. Breyer’s
internet service provider because they allow the user to be precisely
identified . . . , but not being regarded as such with respect to another
entity [website owner], since that operator does not have, if Mr. Breyer has
not disclosed his identity during the consultation of those websites, the
information necessary to identify him without disproportionate effort.[22]
A counter argument is put forth by the proponents of an objective or
absolute test. These insist that the mere existence of a legal channel for
identifying a data subject is sufficient. They maintain that all that is
required for a dynamic IP address to be treated as personal data is for a data
subject to be identifiable, whether directly or indirectly, as foreseen by the
drafters of Article 2(a) and Recital 26[23]
DPD. Therefore, they insist, it is of no relevance if the additional data
needed to identify a data subject is in the possession of a third party, as
against a controller.[24]
In a nutshell:
a user is identifiable — and, therefore, the IP address is personal
data capable of protection — when, regardless of the abilities and means of the
provider of a service on the Internet, it is feasible to identify him, solely
by combining that dynamic IP address with data provided by a third party [for
example, the Internet service provider].[25]
These conflicting views came to a head in the case of Patrick Breyer
v. Bundesrepublik Deutschland[26]
and constituted one of the questions which arose from there to the CJEU. There,
the CJEU was ultimately requested to decide between the relative and absolute
criterion in the interpretation of Article 2(a) and Recital 26 of the
Directive. The reference for a preliminary ruling was made by the
Bundesgerichtshof (Federal Court of Justice, Germany), the national court
seised of the matter.
Included in the reference was an ancillary[27]
question concerning the construction of the sixth principle under Article 7 DPD
(which 'sets out an exhaustive and restrictive list of cases in which the
processing of personal data can be regarded as being lawful'[28]).
In particular, Article 7(f) DPD mandates member states to enact in their
national data protection laws, a principle of 'legitimate interests'.[29]
This is to guarantee processing of personal data without the consent of the
data subject where:
processing is necessary for the purposes of the legitimate interests
pursued by the controller or by the third party or parties to whom the data are
disclosed, except where such interests are overridden by the interests for
fundamental rights and freedoms of the data subject".[30]
Transposing the above provision into national law,[31]
the German federal legislature enacted Article 15 of the Telemedia Act (TMG).[32]
However, the provision in the TMG was not as robust as Article 7(f) of the DPD.[33]
It granted an exemption from the consent of the data subject only in two
strictly defined cases, namely, "to the extent necessary in order to facilitate,
and charge for, the specific use of the telemedium by the user
concerned".[34]
Consequently, in the context of 'non-consensual' processing of
personal data, the notion of the legitimate interests pursued by the controller
was radically narrowed. What this meant was that controllers such as website
owners could not, without the consent of users, process dynamic IP addresses
(if they were personal data), save for purposes of facilitating and charging
for the specific use of the telemedium
by the user concerned. It would not matter even where such processing was for
the legitimate purpose of ensuring the continued functionality of the
controller's system, after the specific use by a data subject.
Following are the facts of the case, the decision of the CJEU therein,
as well as the author's appraisal of that decision.
The facts
of the case
German Federal Institutions (the Institutions) operated websites
through which services were provided to the public. Details of visitors' access
to those websites were registered and stored in logfiles. The contents of those
logfiles ranged from the: dynamic IP address of the device used in gaining
access, time of access, search terms, requested webpage or file name, the
quantity of data transferred, failure or success of access.[35]
This was done in order to prevent attacks against those websites. And if there
was an attack, those institutions wanted to be able to identify the
hypothetical culprit(s) and also bring criminal action.[36]
Mr. Patrick Breyer was one of the visitors to those websites. Dispute
arose after he requested the Institutions to discontinue the storage of his
dynamic IP Address. Referring to Article 2(a) and Recital 26 DPD, Mr. Breyer
insisted that his dynamic IP address was his personal data because it made him
identifiable.[37]
For this reason, he claimed, it should not be processed without his consent,
unless processing was 'required in
order to restore the availability of the telemedium in the event of a fault
occurring'.[38]
Of course such an exception was not provided for
under Article 15 TMG (the supposed national equivalent of Article 7{f} DPD).
That suggestion was sharply opposed by the Institutions. They argued
that Mr. Breyer's dynamic IP address did not qualify as personal data. That was
the case because the dynamic IP address did not make him identifiable. The
logic behind their argument was that the Institutions were not in possession of
the additional data which must be combined with Mr. Breyer's dynamic IP address
in order to identify him. In essence, the Institutions were saying that the
CJEU opinion in Scarlet[39]
applied only to ISPs, and not to website owners; ISPs were in possession of the
additional data needed in order to identify a data subject, website owners were
not.[40]
Moreover, the Institutions argued further, Article 7(f) DPD allowed
them to process a website user's dynamic IP address without his consent- if at
all this could be deemed as personal data. The import of this second leg of the
Institutions' argument was to call into question, the validity of the
aforementioned national provision (Article 15 TMG) which put a cap on Article
7(f) of the DPD.
Due to the irreconcilable differences in opinion, Mr. Breyer brought
an action before the German administrative courts. He sought an injunction
restraining the institutions:
from storing or arranging for third parties to store, after
consultation of the websites accessible to the public run by the German Federal
institutions’ online media services, the IP address of the applicant’s host
system except in so far as its storage is unnecessary (sic) in order to restore
the availability of those media in the event of a fault occurring.[41]
That action was thrown out by the court of first instance. Upon
appeal, the court of appeal held that the dynamic IP addresses in question were
personal data only if Mr. Breyer had revealed his identity (by supplying
additional data such as his name or email address) while consulting the
websites.[42] Dissatisfied
with this result, both parties made an appeal to the Bundesgerichtshof, which
itself turned to the CJEU for answers to the following questions:
"(1) Must Article 2(a) of Directive 95/46 … be interpreted as
meaning that an internet protocol address (IP address) which an [online media]
service provider stores when his website is accessed already constitutes
personal data for the service provider if a third party (an access provider)
has the additional knowledge required in order to identify the data subject?[43]
(2) Does Article 7(f) of [that directive] preclude a provision in
national law under which a service provider may collect and use a user’s
personal data without his consent only to the extent necessary in order to
facilitate, and charge for, the specific use of the telemedium by the user
concerned, and under which the purpose of ensuring the general operability of
the telemedium cannot justify use of the data beyond the end of the particular
use of the telemedium?"[44]
CJEU Answer
to the First Question
Responding to the first question, the CJEU stated that information
relating to both identified and identifiable natural persons are captured by
the definition of personal data under Article 2(a) DPD.[45]
This means that for information to qualify as personal data, it has to relate
to either an identified or identifiable natural person. In the context of a
dynamic IP address, the CJEU made it abundantly clear that 'such an address
does not directly reveal the identity of the natural person who owns the
computer from which a website was accessed, or that of another person who might
use that computer.'[46]
In other words, a dynamic IP address 'does not constitute information relating
to an "identified natural person"'.[47]
Having made that exclusion, the place of a dynamic IP address was
sought within the notion of an identifiable natural person:
[I]n order
to determine whether … a dynamic IP address constitutes personal data within
the meaning of Article 2(a) of Directive 96/45 in relation to an online media
services provider, it must be ascertained whether such an IP address,
registered by such a provider, may be treated as data relating to an
"identifiable natural person".[48]
Upon a joint reading[49]
of Article 2(a) and Recital 26 DPD, the CJEU was satisfied that a dynamic IP
address (without other data) in the hands of website owners constituted
information relating to an identifiable natural person, and therefore was
personal data:
Having regard to all the foregoing considerations, the answer to the
first question is that Article 2(a) of Directive 95/46 must be interpreted as
meaning that a dynamic IP address registered by an online media services
provider when a person accesses a website that the provider makes accessible to
the public constitutes personal data within the meaning of that provision, in
relation to that provider, where the latter has the legal means which enable it
to identify the data subject with additional data which the internet service
provider has about that person.[50]
CJEU Answer
to the Second Question
With regard to the second question, the CJEU began by considering the
exclusionary provision under the first indent of Article 3(2)[51]
DPD. The purpose of this inquiry was to ascertain the applicability (or
otherwise) of the DPD to the processing of personal data by the Institutions.
Under the said provision, the DPD does not extend to the processing of personal
data:
in the course of an activity which falls outside the scope of
Community law, such as those provided for by Titles V and VI of the Treaty on
European Union and in any case to processing operations concerning public
security, defence, State security (including the economic well-being of the
State when the processing operation relates to State security matters) and the
activities of the State in areas of criminal law.[52]
However, the CJEU was persuaded[53]
that the Institutions each operated their websites in an individual capacity,
irrespective of their legal status as public authorities. By so doing, the
Institutions were brought within the remit of the DPD. Therefore, the above
exclusionary provision was held not to apply to the instant case.
The applicability of the DPD having been established, the CJEU
proceeded to examine more closely, the compatibility of the national provision
(Paragraph 15 TMG) to Article 7(f) of the DPD. It held that Paragraph 15 TMG
overly circumscribes the notion of the legitimate interests of a controller
enshrined under Article 7(f) DPD. While Paragraph 15 TMG recognized only two
conditions for processing of personal data without the consent of the data
subject, Article 7(f) DPD contemplates a broader allowance:
In the present case, it appears that Paragraph 15 of the TMG, if it
were interpreted in the strict manner mentioned in paragraph 55 of the present
judgment, has a more restrictive scope than that of the principle laid down in
Article 7(f) of Directive 95/46.[54]
Therefore Paragraph 15 TMG was declared to be inconsistent with
Article 7(f) of the DPD as it failed to embrace a core principle in the field
of EU data protection law, which is, striking a fair balance between the personal
data privacy rights of natural persons and the need to ensure free flow of such
data. Specifically, 'by excluding the possibility to balance the objective of
ensuring the general operability of the online media against the interests or
fundamental rights and freedoms of those users',[55]
Paragraph 15 TMG came close only in its attempt to transpose the letters of
Article 7(f) DPD, but not its spirit.
One of the considerations which lead to the above conclusion was that
Article 5 DPD is not a stand-alone provision. It must be read in conjunction
with Articles 1[56]
and 7 thereof. So, in transposing the principles set forth in Article 7 DPD,
the national legislature has to keep in mind that the liberty given to Member
States under Article 5 DPD (to 'determine more precisely the conditions under
which the processing of personal data is lawful'[57])
is not a carte blanche.[58]
Rather, member states are to be guided by the principles set out in Chapter II
of the DPD as well as "the objective pursued by that directive of
maintaining a balance between the free movement of personal data and the
protection of private life."[59]
Summing up, the CJEU declared that:
the answer to the second question is that Article 7(f) of Directive
95/46 must be interpreted as meaning that it precludes the legislation of a
Member State under which an online media services provider may collect and use
personal data relating to a user of those service, without his consent, only in
so far as the collection and use of that information are necessary to
facilitate and charge for the specific use of those services by that user, even
though the objective aiming to ensure the general operability of those services
may justify the use of those data after consultation of those websites.[60]
Comments
As far as the answer to the first question is concerned, the reasoning
and conclusion of the CJEU is logical. A dynamic IP address might prima facie
be an unintelligible sequence of numbers, but when combined with other data, it
makes a website user to be identifiable. In so far as the Institutions could
legally[61]
have approached Mr. Breyer's ISP in order to collect his additional data, the
risk of identification was not more apparent than real. And the fact that those
additional data were in the possession of a third party (the ISP) should not
matter, seeing this presented a prospect for an indirect identification
for which Article 2(a) DPD provides. Recital 26 DPD lends credence to this
reasoning since it expects a consideration of 'all the means likely reasonably
to be used either by the controller [such as a website operator] or by any
other person to identify the said person'.[62]
It must be conceded that the foregoing submission does not in any way
discountenance the apprehension of those who argue, that such a wide
interpretation of identifiability 'could turn out to be a pyrrhic victory',[63]
due to its extensive ramifications for data protection law. Indeed it would
be counterproductive to give a literal interpretation to Recital 26 DPD- so
that every conceivable means (legal or illegal) of obtaining additional data is
not ruled out. As such, that provision ought to be read and applied
contextually. And as exemplified by the CJEU in this case, the 'means likely
reasonably to be used' was pinned down to approaching a specified ISP through
existing legal channels.[64]
The answer to the second question simply follows the same line of
reasoning in the joined CJEU cases of ASNEF and FECEMD,[65]
with the result that Member states still have to rely on guess work in the
exercise of the discretion afforded them under Article 5 DPD. This is because
the difference which the CJEU sought to draw between ‘mere clarification’ and
‘amending the scope’ of a principle under Article 7 DPD is nothing more than an
exercise in semantics. For it is highly unlikely, that an acceptable
clarification could be attained, without ‘amending the scope’ of a notion (of
legitimate interests) which is lacking in scope. But this approach is
understandable in the light of the need for a uniform interpretation of EU law
in all member states.
As there can be no definite answer from the CJEU on the actual scope
of the notion of legitimate interests, it would seem that its boundaries are
without limits. If that were the case, then national courts might have to turn
to Luxembourg whenever a question touching on Article 7(f) resurfaces in
proceedings before them. Another implication is that controllers could exploit
the decision as a license to unilaterally process dynamic IP addresses, without
the consent of website users. For sure, it does not require rocket science to
put the tag of legitimate interests on such processing operation. Informed
consent could therefore be easily discarded under the cloak of an open ended
principle known as legitimate interests.
That being said, it is important to look at the decision with the lens
of public policy. In the wake of the recent surge in cyber attacks,[66]
the CJEU answer to the second question could not have been timelier. It
provides a guarantee that so called hactivists and their ilk could be
identified and, where feasible, brought to book. If nothing, this represents a
legitimate interest for website owners. It is also in the interest of society
as a whole because some critical infrastructures rely in part on the proper
functioning of electronic communication systems.
In all, legal persons (both in the private and public sectors) operating
a website in their individual capacity within the EU are bound to comply with
the judgment. Prior to performing ‘post-consultation period’ processing operation
on the dynamic IP addresses of the devices used by visitors to access their
websites, they must obtain the consent of such visitors. That will not be the
case if they could show that such processing is for purposes of the legitimate
interests pursued by them.
[1] Personal
data shall mean any information relating to an identified or identifiable
natural person ('data subject'); an identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.
[2] See for example a summary on the conflicting
decisions by two French Courts of Appeal in: European Commission, Directorate-General
for Communication Networks, Content and Technology, "Study of case law on
circumstances in which IP addresses are considered personal data" (Final
report, 2011) 101-105 available at <http://www.timelex.eu/frontend/files/userfiles/files/publications/2011/IP_addresses_report_-_Final.pdf>
accessed 7 November 2016.
[4] Spindler
G, Schmechel P, ‘Personal Data and Encryption in the European General Data
Protection Regulation’, 7 (2016) JIPITEC 163 para 2. Available at <http://www.jipitec.eu/issues/jipitec-7-2-2016/4440/spindler_schmechel_gdpr_encryption_jipitec_7_2_2016_163.pdf> (Spindler, Schmechel) accessed 8 November 2016.
[5]
'controller' shall mean the natural or legal person, public authority, agency
or any other body which alone or jointly with others determines the purposes
and means of the processing of personal data; where the purposes and means of
processing are determined by national or Community laws or regulations, the
controller or the specific criteria for his nomination may be designated by
national or Community law. DPD, Art 2(d).
[7]
'Processing' is "any operation or set of operations which is performed
upon personal data, whether or not by automatic means, such as collection,
recording, organization, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking, erasure or
destruction." DPD, Art 2(b).
[11] Case C-582/14 – Patrick Breyer v
Bundesrepublik Deutschland (Judgment of 19 October 2016. ECLI:EU:C:2016:779)
(Breyer).
[12] ibid paras
14-16; Case C-582/14 Patrick Breyer v
Bundesrepublik Deutschland, Opinion of Advocate General Campos
Sánchez-Bordona (Delivered 12 May 2016), points 1-4. Both the CJEU and
the Advocate General began with the technical details surrounding a dynamic IP
address.
[14] Case C-582/14 Patrick Breyer v Bundesrepublik
Deutschland, Opinion of Advocate General Campos Sánchez-Bordona (Delivered
12 May 2016. ECLI:EU:C:2016:339)
(AG Opinion), point 2.
[15] IP
Location, 'What is the difference between a static and dynamic IP address?'
<https://www.iplocation.net/static-vs-dynamic-ip-address>
accessed 14 November 2016.
[18] Library of
Congress, 'Online Privacy Law: Germany', para 23, available at <https://www.loc.gov/law/help/online-privacy-law/germany.php#_ftn52>
(Library of Congress) accessed 17 November 2016 (footnote omitted).
[20] AG Opinion
(n 15) point 53.
[27] 'The German Government argues that it is not
necessary to address the second question, raised only in the event that the
first question should be answered in the affirmative, which is not the case in
its view, for the above reasons.' AG Opinion (n 15), point 40.
[31] 'The
German Federal Data Protection Act has separate provisions for data processing
in the public and private sectors. In addition, Germany has special privacy
provisions for electronic information and communication services (telemedia)
and yet another set of privacy rules for the providers of services that
transmit electronic signals. All these laws apply to some extent to the
providers of online services. Through these laws Germany transposed European
Union (EU) Directives 95/46 and 2002/58, albeit in a very complex and
differentiated manner. Some German experts find that this complexity interferes
with the requirement of transparency in that it keeps consumers from being
aware of their rights and from exercising them.' Library of Congress (n 19) para 1.
[32] Telemediengesetz (TMG), Feb. 26,
2007, BUNDESGESETZBLATT [BGBL.] I at 179, available at <http://www.gesetze-im-internet.de/tmg/index.html>
accessed 17 November 2016.
[42] Breyer (n 12) para 19-20.
[43] Breyer (12), para 29.
[45] Breyer (n 12), para 32.
[46] Breyer (n 12), para 38.
[48] Breyer (n 12), para 39.
[49] Breyer (12), para 40, 42.
[50] Breyer (12), para 49.
[51] DPD, Art 3(2) First Indent.
[52] ibid.
[54] Breyer (n 12), para 59.
[55] Breyer (n 12), para 63.
[56] See DPD, Art 1 on the Objectives of the
DPD.
[57] DPD, Art 5.
[58] Breyer (n 12), para 58.
[59] ibid.
[60] Breyer (12), para .
[62] DPD, Art 26.
[65] Joined cases C‑468/10
and C‑469/10 (Judgment
of 24 November 2011. EU:C:2011:777) paras
30-40, 47-48. cf Breyer (n 12), paras 57, 58, 62.
[66] ‘In December three
Ukrainian regional power firms experienced short-term blackouts as a result of
malicious software in their networks. Experts have described the incident as
the first known power outage caused by a cyber attack.’ Available at <http://euractiv.com/section/Europe-s-east/news/Ukraine-says-russian-cyber-attacks-targeted-its-main-airport/> accessed 24 November 2016; 'Last
month, German Chancellor Angela Merkel said she could not rule out Russia
interfering in Germany’s 2017 election through internet attacks and
misinformation campaigns.'
Available
at <https://www.euractiv.com/section/global-europe/news/german-spy-agency-warns-of-rise-in-russian-propaganda-and-cyber-attacks/> accessed
24 November 2016; 'Estonia has acted to
shore up its cyber security after attacks that shut down private and government
websites in 2007, which Estonia blamed on Russia.'
Available at <https://www.euractiv.com/section/global-europe/news/german-spy-agency-warns-of-rise-in-russian-propaganda-and-cyber-attacks/>
accessed 24 November 2016.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου