‘Dynamic IP addresses are personal data’

Dynamic IP addresses are personal data if an internet provider has the additional data to trace it back to a person. That is the opinion of the Advocate General of the Court of Justice of the European Union.

The case revolves around a German, P. Breyer, who demanded that the German state stop storing IP addresses. The German state saved IP addresses of visitors to government sites in order to fend off internet attacks and punish attackers. Breyer had visited some government sites but then demanded that his IP address be stopped.

The man stated that a dynamic IP address is personal data, which means that it falls under the protection and additional requirements of European Directive 95/46/EC. This would be personal data, despite the fact that a third party is needed to identify the user: the internet provider. The German state argued that an IP address does not identify a person.

Breyer’s claim was rejected by the German court in the first instance, but it was partially granted on appeal. Germany had to stop saving the IP address, as Breyer already provided an email address when visiting the sites and the preservation was not necessary for the provision of the service.

Both parties appealed and the Bundesgerichtshof first wanted an answer from the CJEU on the preliminary question whether it was indeed personal data. In his opinion, Advocate General Campos Sánchez-Bordona states that, in his view, this is indeed the case.

“For the Internet service provider, the dynamic IP address must be qualified as personal data, because there is a third party – the Internet service provider – who can reasonably be expected to be contacted by the Internet service provider to obtain additional data that make it possible, in combination with the IP address, to identify a user”, the advice reads. In most cases, the Court of Justice of the EU adopts the Advocate General’s advice.