Stay in the loop with the most important updates
In the area of Personal Data Protection, merely defining personal data is already a challenge. In general, the concept of personal data encompasses any information by which a person identifies himself or can be identified by others. However, it is not always clear what really falls under the category of information “based on which a person can be identified”.
Prior to adopting the General Data Protection Regulation (GDPR), and during the validity of the EU Directive regarding the subject, the confusion also revolved around IP addresses. The debate on IP addresses in the field of personal data protection regarded the question of whether an IP address can be considered personal data at all, and if so, whether there is a difference between a dynamic and a static IP address.
In order to clarify how the IP address came about to be considered personal data, we will discuss the role of the European Court of Justice in solving this dilemma. Finally, we will address the current position of IP addresses in the field of data protection in the EU and Serbian legislation.
An IP address is a unique numerical label for a device on the internet. Each device is identified through an IP address and it enables Internet access (IP address example: 126.96.36.199). An IP address can be static or dynamic. A dynamic IP address is a variable category, which means that whenever a router connected to the Internet is reset, the IP address takes a different value.
As a rule, the Internet provider assigns the user a dynamic IP address unless the user demands otherwise. It is sufficient for regular internet surfing. Nevertheless, in case that the demands of the user are somewhat greater and if continuous access to certain resources via the Internet is necessary (e.g. we want to install video-surveillance via the Internet), the user will choose a static IP address and cover some additional expenses. Still, this is how a static IP address remains our permanent Internet address. All devices within out local network can then access the Internet with this static IP address.
The road of IP addresses toward being considered personal data was not short and simple. Several key court decisions needed to be brought in for IP address to be considered personal data according to the GDPR.
The Belgian Association of Authors, Composers, and Publishers (SABAM) requested from the court to oblige Scarlet, an Internet provider, to install a filtration system that would monitor and prevent download and trade of works protected by copyright. The Belgian court ruled the case in favor of SABAM and ordered Scarlet to do so. However, Scarlet filed a complaint about this first-instance court decision to the Court of Appeal in Brussels. Within this context, the Court of Appeal addressed a question to the European Court of Justice whether the EU legislation allows national courts to order the installation of electronic communication filtration and blocking systems. Finally, the European Court of Justice took the stance that a request addressed to the Internet provider to manage a general electronic communication filtration and blocking system is not in accordance with the EU legislation. The court in Luxembourg also established that a filtration system may be contrary to the basic rights of Scarlet’s users, that is, with their right to personal data protection and the right to exchange (receive and transfer) data.
The European Court of Justice ruled that IP addresses collected by the Internet provider are personal data. Namely, the European Court of Justice considered that an order demanding the installation of a disputable filtration system would include the system analysis of all contents as well as collecting and identification of user IP addresses from which illegal content is sent online. IP addresses are protected data because they enable accurate user identification. The Court did not provide a more detailed and precise elaboration on the IP address as personal data, or more precisely, it did not define whether an IP address is always considered personal data, and also whether a distinction is made between a dynamic and a static IP address in this sense.
Since this verdict only contributed to the adoption of attitude regarding the IP address as personal data issue to a certain extent, it was only after the long-awaited verdict for the Patrick Breyer vs Bundesrepublik case that the European Court of Justice provided a response to questions without a unique stance and court practice.
The issue of IP address being considered personal data was discussed in the European Court of Justice verdict on the Patrick Breyer vs Bundesrepublik Deutschland case of October 2016. The importance of this verdict reflects in providing a precise definition on what can be considered personal data, how this data can be used and when is it abused, all in accordance with the former valid EU Directive on personal data protection.
The Patrick Breyer vs Bundesrepublik Deutschland case includes websites managed by the Federal Republic of Germany (“BRD”) which, like most website operators, have a record of the IP addresses of their website visitors. Patrick Breyer initiated court proceedings against the Federal Republic of Germany, considering that the German Government collected and used IP addresses of website visitors controlled by the Government and thereby processed personal data of visitors without their consent. He demanded the court to ban the Federal Republic of Germany as a web operator, along with the obligation to obtain beforehand approvals for such activities. The government justified this practice with reasons of safety, prevention of cyber attacks and the possibility of prosecuting the perpetrator of such actions.
The German Federal Court of Justice discontinued the procedure and forwarded the case to the Judicial Panel of the Court of Justice of the EU, looking for the answers to the following questions:
1. Is a dynamic IP address personal data by virtue of the EU Directive on personal data protection, and
2. Is the German Law on Telemedia contrary with the EU Directive on personal data protection, as it did not allow the web operator to justify their legitimate interests in personal data processing (in this case the German government to justify its legitimate interests in the sense of cyber attack protection of the websites it manages).
Namely, the German court asked the European Court of Justice to take a stance whether a dynamic IP address, collected by a web operator, can be considered personal data if the Internet provider, as a third party, has additional information that could identify that individual.
What Did the Court Say?
The Court decided that dynamic IP addresses can be considered personal data even if the third party is the only one (in this case the Internet provider) with additional data necessary to identify the individual – although only under specific circumstances. The Court emphasized the fact the possibility of combining data with the additional data has to be “means, for which it is reasonable to believe to be used to identify” an individual. The Court clarified this will not be the case “if identifying a person is against the law or virtually impossible due to the fact that it requires disproportional efforts in the sense of time, costs and people so that the risk of identification, in reality, would be insignificant”.
So, the European Court of Justice took the stance that dynamic IP address can be considered personal data, but, it depends on the circumstances and specificity of each individual case.
The European Court of Justice also decided that Section 15 of the German Law on Telemedia is too restrictive as its provisions do not foresee that personal data processing can be justified by legitimate interests of the web operator. The Court decided that German authorities can have a legitimate interest in collecting IP addresses of the website visitors and thereby process their personal data in order to protect themselves from cyber attack.
The Patrick Breyer vs Bundesrepublik, Deutschland case raised the question of whether a dynamic IP address, as a variable category, can be considered personal data. Generally speaking, dynamic IP addresses alone are not sufficient to identify an individual. However, in a combination of date and time of access, Internet provider can identify the user. So, the web operator with the help of the provider can indirectly discover the user’s identity. Precisely this was the key question: is such data eligible to be considered personal?
As we have already seen in this text, the European Court of Justice decided that IP addresses for Internet providers be qualified as personal data. However, up to this case, there was no official stance on whether it refers to online providers of media services as well, like web operators, especially if the third party, i.e., Internet providers, possess the information necessary for person identification.
How do the EU regulations define personal data?
According to Article 2 of the EU Directive on personal data protection, personal data includes any information that refers to an identified natural person or an identifiable natural person; an identifiable person is one that can be identified directly or indirectly, especially through an ID number or one or more factors characteristic for their physical, physiological, mental, economic, cultural or social identity.
GDPR retains this definition with the addition that a natural person can be identified on the basis of name, location data, online identifiers and genetic material of that person. GDPR foresees that natural persons can be connected with online identifiers provided by their devices, apps, tools, and protocols, such as IP addresses, cookie identifiers or other identifiers such as radio-frequency labels. This can leave traces which may be used to create a profile of the natural person and their identification, especially if combined with unique identifiers and other information received by servers. So, the EU legislation finally solves the great dilemma: IP address can be considered personal data.
The Law on Personal Data Protection from 2008 prescribes that personal data is any information related to a natural person, regardless of the form it is expressed in and the information carrier (paper, tape, film, electronic media etc.), upon whose request, in whose name or in whose account that information is stored, date of creation, the location where it is stored, means of acquiring the information (directly, by listening or watching etc., or indirectly, by viewing the document containing the information etc.) or regardless of other properties of the information.
However, since this Law does not adequately regulate the subject matter of personal data protection, the need to adopt a new law dates back to 2012, and all of this with the purpose of aligning our legislation with the EU legislation. The European Commission confirmed this in the report from 2016, in which they state that it is necessary to urgently adopt a new law which will be in accordance with the EU standards. The adoption of the new law on personal data protection is one of the conditions of the negotiations between Serbia and the European Union, by virtue of opening Chapter 23.
The Serbian Government committed to adopt the new law by the end of 2015, on the basis of the Model prepared by the Commissioner for Information of Public Interest. However, this project has still not been realized, and the deadlines to adopt the new law have been postponed several times.
The last progress made in the realization of this project was the adoption of the Draft law on Personal Data Protection, prepared by the Ministry of Justice of the Republic of Serbia. However, this Draft was criticized by the expert public, and the European Commission and Eurojust filed their complaints. Specifically, the criticism of the domestic and public opinion addresses the need for a more adequate regulation of video-surveillance, prevention of potential abuse of the citizen’s unique identification number, and establishing more effective data protection in the public sector.
According to the aforementioned Draft law, personal data is “any data that refers to the natural person, whose identity is determined or can be determined, directly or indirectly, especially on the basis of an identity label, such as a name and ID number, location data, identifiers in electronic communication networks or one or more properties of their physical, physiological, genetic, mental, economic, cultural and social identity”.
Since the Draft law does not specifically mention IP addresses but mentions “an identifier in electronic communication networks”, it can be concluded that the new law is compliant with GDPR on this matter.