The European Court of Justice (ECJ) has handed down a judgement that rules IP Addresses are Personally Identifiable Information (PII). The ruling is likely to create problems for a lot of companies. Many capture the IP address of computers to track who is accessing data. They must now treat that data in accordance with privacy rulings.
What are IP addresses and how are they used?
Every device connected to the Internet does so using an IP address. Business users tend to pay for a “fixed IP”. This means that it is theirs as long as they pay for it. This means that any communication over that link is easily tracked back to that company.
Consumers get a dynamic address from their ISP which can change. This is because most ISPs do not have a large enough pool of addresses to supply every customer. The ISP retains the details of the IP address and details of the device using it. This allows them to track who is using it and when.
The same is true for mobile users. Whenever they connect to a new mobile network such as when they change country, they get a new IP address. This is combined with a unique code built into the device. Using the unique code law enforcement and intelligence services can track the usage of a device across multiple networks including WiFi.
Website owners track connections to their sites by IP address. This is often used to see if a user is returning to their site or if they are a new user. Some sites tell the user that they have captured the IP address when they seek to change their password. Tracing the IP address also tells then whose network the user was on and even the business they work for. If there is an issue with illegal access to a site or an attempted hack of a site, that IP address, data and time are part of the data law enforcement gather.
Who brought this case and why?
The case was brought by Patrick Breyer against the German Government. He had accessed pages on websites run by the German Government. They had captured his IP address and the pages he viewed along with other data. This is all stored in log files that are searchable by third-parties and security teams.
Breyer says IP addresses are personal data as defined by Article 2(a) of Directive 95/46/EC. He asked the court to consider whether the service provider capturing the IP address was a public authority or a private individual. What Breyer wanted was the ECJ to issue a restraining order against the Federal Republic of Germany to stop them or any third parties from storing this data.
As the German Government had already dismissed his case against them he took it to appeal. As he was using a dynamic rather than a static IP address the appeal was dismissed. This was because the court felt he could not be identified based on just the IP address. Both the German Government and Breyer appealed this ruling to the Bundesgerichtsof (Federal Court of Justice). It was that court which asked the ECJ for further clarification on two points:
Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?’
What has been decided?
In a fairly long and detailed set of ruling looking at previous case law, dynamic vs static IP addresses, direct vs indirect identification and the role of state institutions, the ECJ ruled:
Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
Article 7(f) of Directive 95/46 must be interpreted as precluding the legislation of a Member State, pursuant to which an online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that the collection and use of that data are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after a consultation period of those websites.
This is an important ruling that will affect all governments across the EU. It means that they will have to reconsider how they treat IP addresses and what data they capture from visitors to their websites. It is unlikely that this will affect how countries outside of the EU treat data gathered from EU citizens visiting their websites. However, given the fragile relationship in terms of data control between the EU and US we may see a request for further clarification.
For companies who have a web presence this also has an implication. All of the web site statistics packages on the market capture IP addresses. This includes Google Analytics, Microsoft’s Bing Webmaster tools, Webalizer and AW Stats, to name just four. They use IP addresses to show where visitors are located, who accessed what content and when.
This puts pressure on IT departments to now include IP addresses and data from web visitors into their PII pool. They will need to ensure that their policies around the Right to be Forgotten, also apply to web access. This is a case with far reaching ramifications and it will probably need a lot of detailed clarification before we really know what its impact will be.
It will be interesting to see how IT security teams respond. This is data that is core to the way they track and analyse attacks. IP addresses are also found in threat analysis data. If security teams are prevented from using that information it could limit their ability to trace attacks to their source.