Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

IP addresses are personal data if ISPs hold additional data that can help identify internet users, says CJEU advisor


Website operators should treat IP addresses as personal data if internet service providers (ISPs) hold other information that can be matched with IP address data to reveal the identity of internet users, an advisor to the EU's highest court has said.

The Court of Justice of the EU (CJEU) has been asked by a court in Germany to help resolve a dispute over whether IP addresses constitute personal data for the purposes of the EU's Data Protection Directive.

The German court has specifically asked the CJEU whether website operators that store IP addresses when device users connect to their sites can be said to be handling personal data if the businesses facilitating those device users' online access – third party internet service providers (ISPs) – hold "the additional knowledge required in order to identify the data subject".

In a non-binding opinion (in German) issued in the case last week, advocate general to the CJEU Manuel Campos Sánchez-Bordona said website operators should treat IP addresses as being a piece of personal data if ISPs hold additional data that could be combined with IP addresses to identify specific users of websites.

The CJEU is expected to issue its formal judgment in the case in the coming months. It often follows the guidance set out by advocate generals in their opinions.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, earlier this year said that businesses should treat IP addresses as being subject to data protection laws even if the CJEU rules that the information is not to be automatically considered as being personal data.

"It would be prudent for companies to assume IP addresses are personal data," Wynn said at the time. "This is because of the potential for that data to be used to identify individual internet users when matched together with other information. Companies that treat IP addresses as being outside the scope of data protection laws run the risk of being fined. Significant financial penalties of up to 4% of a company's global annual turnover are a possibility under new EU data protection laws."

Wynn said that guidance issued by data protection authorities and a UK court support a cautious approach from businesses on how they should treat IP addresses.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.