Dynamic IP-addresses can be "personal data" says EU Court of Justice

On October 19, 2016, the European Court of Justice decided on the question whether or not dynamic IP-addresses constitute "personal data" in the sense of the European data protection legislation (Case C-582/14). 

The full text of the judgment can be found here

The court confirms that the dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet service provider.

This means that in such cases website operators do need to act in compliance with data protection legislation when processing such dynamic IP-addresses. The operator of a website may however have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks, and does not need to ask for consent from the website visitor.

The ruling is relevant for any website collecting dynamic IP-addresses. The Court leaves room for deciding in each case whether or not dynamic IP-addresses form personal data.

In practice, this means that the following criteria should be used when deciding if dynamic IP-addresses are personal data in a specific situation:

  1. It is not necessary that the dynamic IP addresses alone allows the data subject to be identified, if additional data could help to identify the person.
  2. It is not required that all the information enabling the identification of the data subject must be in the hands of one person.
  3. It must be decided in each case whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject
  4. That would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant

No doubt, and as always with EU Court judgements, food for further consideration!

Voir aussi : DLA Piper LLP ( Mr. Patrick Van Eecke )

Click here to see the ad(s)

Derniers articles de Mr. Patrick Van Eecke

Belgian Privacy Commission issues a 13 step plan for companies preparing for GDPR compliance

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-r...

Read more

Cookies: Belgian Privacy Commission publishes official guidance

Almost one year after the publication of the draft version, the Belgian Privacy Commission has recently issued the final v...

Read more

Europe’s Right to be forgotten: update on implementation guidelines

In an earlier newsletter, we wrote that the Article 29 Working Party ("Working Party 29″) has adopted guidelines rel...

Read more

Connected Cars & Privacy: Automotive industry adopts consumer privacy principles

Last week proved to be an important week for privacy and data protection in the US: while representatives of the European ...

Read more

LexGO Network