Yesterday, the Court of Justice delivered its decision in Breyer v Bundesrepublik Deutschland (C-582/14, not yet available in English), a case concerning the lawfulness of the retention of dynamic IP addresses and other information by internet service providers.
Mr Breyer contested the practice of the German federal government's websites, which keep a register of all IP addresses accessing information on their pages, together with a record of the pages visited and the time of each visit. The purpose of this information storage, according to the German government, is to prevent and/or readily prosecute cyberattacks.
Two questions were raised before the Court of Justice: 1) whether, contrary to the assumptions of the Government when devising this practice, the information concerned constituted personal data under Directive 95/46; 2) if so, whether the German rules applicable to the retention of personal data by websites, which would make the Government's practice illegal, were compatible with the directive.
As to the first question, the Court of Justice answered that the collection of dynamic IP can be qualified as collection of personal data. The main issue to be discussed in this context was whether dynamic IP information, which is by definition not constantly associated to an individual user, can nevertheless be considered as capable of identifying that user. This is materially possible only through obtaining additional information from the internet service provider which has issued the IP number.
Making reference to the directive's 26th recital, the Court reasoned that the answer to the question depends on the ability, for the website's owners, to obtain the "missing" information legally and without disproportionate expenditure. The ECJ considers that this possibility is clearly present in a case such as the one under scrutiny, especially in the event of a cyberattack.
Therefore, the answer to the first question is that dynamic IP addresses are to be considered and treated as personal data by a provider which has the possibility to use them, in case of need, in order to identify the users associated to them.
As to question 2), the Court had to consider the compatibility with Directive 95/46 of the German provision according to which- thus the interpretation prevailing in Germany- online service providers are only allowed to collect personal data for purposes related to their service provision- and charging of potentially ensuing fees.
In particular, the Court considered whether a similarly interpreted restriction was compatible with article 7 letter f of the Directive, according to which providers can collect and preserve data in pursuit of their legitimate interests, provided they do not disproportionately impinge on the user's fundamental rights and liberties. The national legislation implementing the directive must leave some room for the balancing required by this provision.
According to the Court, therefore, article 7 letter f of Directive 95/46 stands in the way of a national rule that generally disallows providers to store personal data with the purpose of securing the website's continued workability- which, inter alia, encompasses the prevention and prosecution of cyberattacks.
Thus, the answer of the second question is that the Directive does not allow national legislation to be interpreted in such a manner that would render the collection of personal data (ie dynamic IP addresses and access information) for the prevention of cyberattacks illegal.
This decision is rather double-faced: on the one hand, it has a privacy-friendly attitude insomuch as it makes clear that all information can be personal data when the provider collecting it has the possibility to, at some point in time, use it to identify people who have accessed its webpages. On the other hand, though, it threatens to preempt national legislations giving a strict interpretation of the legitimate interests allowing data collection. It will be interesting to see which of the two faces will become more visible in the decision's aftermath.