Dynamic IP Address May Now be Protected Personal Data Under EU Law

Natasha Kohne, Michelle Reed
Akin Gump Strauss Hauer & Feld LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Akin Gump Strauss Hauer & Feld LLP

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a judgment determining that dynamic Internet protocol (IP) addresses may constitute “personal data” subject to protection under the EU’s Data Protection (Directive 95/46/EC) under certain circumstances. Pursuant to the Directive, EU member states are required to protect the natural persons’ right to privacy with respect to the processing of their “personal data.”

The CJEU took up the question of whether dynamic IP addresses constitute personal data after a German politician brought suit seeking to challenge the ability of German government websites to register and store dynamic IP addresses. The German government alleged that it needed to collect and store such IP addresses in order to prevent cyber attacks on its websites and to guarantee the “security and continued proper functioning” of the websites.

 The CJEU’s judgment finds that it is possible to identify a natural person (a data subject) based on the dynamic IP address provided to that data subject by an online media services provider, if the IP address is combined with certain other data that is collected and stored by Internet service providers. Accordingly, the judgment finds that “a dynamic IP address registered by an online media services provider . . . constitutes personal data within the meaning of [the Directive]” when the provider “has the legal means which enable it to identify the data subject with additional data which the Internet service provider has about that person.” 

The determination that a dynamic IP address may constitute personal data means that such IP addresses must be processed in accordance with the privacy requirements of the Directive. The ruling could have implications for companies that provide dynamic IP addresses to users of their websites.

The CJEU’s judgment also finds that a particular provision of the German law on Telemedia related to when an online media services provider may collect and use personal data without the subject’s consent is overly restrictive, and in conflict with, Article 7(f) of the Data Protection Directive. Therefore, the CJEU determined, the provision of the German law is precluded by the Directive.

The CJEU’s full decision is available here.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide