And here is delivered by the Court of Justice of the European Union (CJEU) another landmark judgment: C‑582/14 Breyer v Bundesrepublik Deutschland concerning the proper characterisation of IP addresses and the compatibility of German national law with Article 7(f) of the Data Protection Directive (DPD). The judgement is not available in English yet, but the German and the French versions, among others, are already online.
As explained by Alison in her post commenting on the opinion of Advocate General (AG) CAMPOS SÁNCHEZ-BORDONA delivered on 12 May 2016, the Federal Republic of Germany (Germany) used to (and will continue to) log dynamic IP addresses when users browse its websites. Mr Breyer, unhappy about this practice, brought a suit against Germany and claimed for a prohibitory injunction, alleging that dynamic IP addresses were personal data and that consent was required for Germany to process the data in this way. As his consent had not been obtained, Germany should be refrained from storing such IP addresses, “except in so far as the storage is required in order to restore the availability of the telemedium in the event of a fault occurring.” In other words, this was saying that German Telemedia Law was more restrictive than the DPD on these issues and German Telemedia Law had to be complied with (see Sections 12 and 15 of the Telemediengesetz).
And why did Germany log dynamic IP addresses? Well, Germany logged a series of data (name of the domain or file browsed, search terms, date and time of session, volume of transferred data… and finally IP addresses). As explained by the AG at para. 23 “With the aim of preventing attacks and making it possible to prosecute attackers, most of those websites store information on all access operations in logfiles. Even after access has been terminated, information is retained in the logfiles concerning the name of the file or web page to which access was sought, the terms entered in the search fields, the time of access, the quantity of data transferred, an indication of whether access was successful and the IP address of the computer from which access was sought.”
The German Federal Court of Justice referred 2 questions to the CJEU:
- “Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1 — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”
- “Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”
The CJEU is essentially in line with its AG.
The main points of the CJEU’s reasoning are the following:
- The Breyer case indeed raises novel issues. Scarlet v Sabam decided in 2011 is limited to situations in which the data controller is the Internet Service Provider (ISP) itself. [para. 34]
- The CJEU rejects the approach taken by the German Court of Appeal, which was making a distinction between situations in which the logfiles contain email addresses, [i.e. personal data by content to use the terms of Article 29 Data Protection Working Party in its opinion on personal data] and situations in which the logfiles do not contain email addresses.
- The CJEU acknowledges the existence of two opposing views: the objective approach and the relative [or relativistic] approach to the interpretation of the legal concept of identifiability [para. 25]. [Remember, under the DPD: “”personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”)” (Article 2(a))]. The CJEU certainly rejects the relative approach and seems to opine for the objective one, at least as it describes the implications of such an approach in its decision].
- A dynamic IP address does not relate to an identified individual. [para. 38] The question is therefore whether it can relate to an identifiable individual. The CJEU recalls that individual can be identified directly or indirectly. [para. 39].
- To determine whether an individual is identifiable the CJEU refers, without mentioning it, to Recital 26 of the DPD.
- But very interestingly, the CJEU expressly refers to para. 68 of its AG’s opinion which states that: “Just as recital 26 refers not to any means which may be used by the controller (in this case, the provider of services on the Internet), but only to those that it is likely ‘reasonably’ to use, the legislature must also be understood as referring to ‘third parties’ who, also in a reasonable manner, may be approached by a controller seeking to obtain additional data for the purpose of identification. This will not occur when contact with those third parties is, in fact, very costly in human and economic terms, or practically impossible or prohibited by law. Otherwise, as noted earlier, it would be virtually impossible to discriminate between the various means, since it would always be possible to imagine the hypothetical contingency of a third party who, no matter how inaccessible to the provider of services on the Internet, could — now or in the future — have additional relevant data to assist in the identification of a user.” [What does para. 68 really mean? Isn’t it saying that one should adopt a risk-based approach regarding the issue of identifiability in assessing whether it exists from data on a particular set of facts, and therefore regarding the issue of anonymisation as well, as discussed in one of my previous posts? This would mean that Article 29 WP got it partially wrong in 2014, as I flagged in that post, when it discarded all the possible means that could significantly lower the risks of re-identification and in particular the law itself!]
- Actually, the judgment of the CJEU seems slightly better than the opinion of the AG in as much as it does not refer to para. 69 of the opinion as well which added: “As previously stated, the third-party to whom the Bundesgerichtshof (Federal Court of Justice) refers is an Internet service provider. This is surely the third party whom it is more reasonable to think that the service provider will approach to collect any additional data required, if it aims to identify in the most effective, practical and direct way a user who has accessed its website using the dynamic IP address. This is by no means a hypothetical, unknown and inaccessible third party, but a main player in the structure of the Internet, who is known with certainty to be in possession of the data required by the service provider to identify a user. In fact, as stated by the referring court, it is that particular third party which the defendant in the main proceedings intends to approach in order to collect the necessary additional data.” One interpretation of para. 69 was that the AG was actually undermining its statement made in para. 68: in effect, if ISPs exist, then using that logic, IP addresses should always be considered personal data.
- Finally, the CJEU recalls that EU data protection law serves a double, [and to some extent contradictory… my own addition], purpose: the free movement of personal data and the protection of privacy and data protection interests. Therefore, Article 7(f) of the DPD amounts to full harmonisation in terms of being complete. In other words, Article 7(f) does contain an exhaustive (and limitative) list of legal bases, which cannot be shrunk by Member States [para. 57]. This thus means that the German Telemedia Law is indeed too restrictive [para. 63]. [And this seems to mean as well that website operators should be allowed to process personal data for network security purposes without consent; network security purposes including the pursuit of individuals responsible for cyberattacks].
I am wondering now, and what about other types of illegal activities? Could website operators or other service providers process [i.e. retain] personal data to prevent or terminate other types of illegal activities as well? This is where the Digital Rights Ireland case may be of some help… Or maybe not…Shall we draw a distinction between voluntary retention and mandatory retention, in the same vein as the distinction drawn up until now between voluntary general monitoring and mandatory general monitoring?