Dynamic IP addresses are personal data and why should care about it

The Court of Justice of the European Union (CJEU) has recently sentenced that dynamic IP addresses should be considered as personal data.
Dynamic IP addresses are personal data and why should care about it

The Court of Justice of the European Union (CJEU) has recently sentenced dynamic IP addresses to be considered personal data. This blog post will provide a brief explanation of the decision and why it is important for app developers to comply with the European privacy framework.

The decision, in a nutshell

The case C‑582/14 (Patrick Breyer v. Bundesrepublik Deutschland) of October 19th, 2016 was about «the registration and storage of the internet protocol address (‘IP address’) allocated to Mr. Patrick Breyer when he accessed several internet sites run by German Federal institutions».

In this ruling, the Court was asked to better interpret some articles of Directive 95/46/EC in the light of the definition of IP (Internet Protocol). The interpretation was focused only on "dynamic IP addresses", since "static IP addresses" have already been classified as personal data within the scope of Directive 95/46/EC.

A dynamic IP address is a set of numbers that changes at each new connection of a router or device to the Internet. Unlike the static IP address, the dynamic IP address does not allow you to automatically associate the identity of the user to the machine surfing on the Internet.

However, the Advocate General concluded and outlined, in this case, an important point:

"Article 2(a) of Directive 95/46/EC [...] must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person." (See par. 65[1], Case C‑582/14).

Let's remind the definition of personal data provided by the Directive in article 2(a):
"[...] any information relating to an identified or identifiable natural person ('data subject')";

According to this disposition, as an "identifiable natural person" you:
"[...] can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity";

As a conclusion, although dynamic IP changes during the time, it can be led back to the identity of the person in a short time. This is why dynamic addresses coincide with the definition of personal data. It doesn't matter that this decision was about the interpretation of Directive 95/46/EC: the latter will be soon (May 2018) repealed and amplified by the effective entrance into force of the new General Data Protection Regulation (GDPR), demanding new requirements to individuals and businesses such as the implementation of DPOs (Data Protection Officers). GDPR will have huge violation costs if not correctly respected.

The Ultimate Guide on GDPR and HIPAA compliance

Download our Free Ebook now

Why you should care about it

Here is the first important implication: IP addresses are collected by many tools we all use for our websites or apps. For example, Web Application Server like Apache or Ngnix are collecting such information in their log files that they store on our servers.

Therefore, anyone using a web/application server must show a privacy policy and inform users (see ePrivacy Directive and EU Cookie law), in addition to other administrative and technical requirements for protecting personal data. This is valid for all "personal data" such as name and surname, photo, email address, bank details, posts on social networking websites, birthplace, or working position.

The second important implication is that anonymization and pseudo-anonymization of data are even more difficult to achieve on your server, causing more troubles for Cloud Data Storage.

Under recital 26 of the new GDPR anonymized information can be defined as "information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable". On the other side, pseudonymization cannot be considered as a method of anonymization, since it merely reduces the linkability of a dataset with the original identity of a data subject.
Indeed, under art. 4(5) GDPR pseudonymization can be defined as as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person".

In other words: in order to achieve anonymization and pseudo-anonymization, you must consider now also dynamic IP addresses as a form of Personal Data.

How Chino.io helps companies with EU Health Data security compliance

Personal and especially sensitive data require protection. Companies handling these data should provide guarantees to users and collect consent for their processing. This is especially true for digital health companies developing eHealth and mHealth apps, medical software or devices, and wearables. If they are collecting any sensitive data, these companies need to ensure a compliant health data storage and API with respect to the recent EU Privacy Law framework.

Talk to an expert