By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

The CJEU clarifies in the judgment that the mere fact that a third party is able to identify the data is not sufficient to treat the data as identifiable. The European Data Protection Directive (as the forthcoming European Data Protection Regulation) only takes the knowledge of a third party into account if such knowledge is “likely reasonably” to be used to identify the identity. The Court refers to the Advocate General opinion that this would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires disproportional effort.

In the case of logfiles stored by the Government, the CJEU considered whether, in the event of a cyber-attack, legal channels exist for the Government to require the competent authorities to require disclosure by the internet service provider of information needed to identify the individuals. If this is the case, then the CJEU considers the logfile data is personal data as it can be connected to the individual based on the records of the internet service provider, which the provider might be forced to provide through valid legal process.

It should be emphasised that the assessment by the CJEU is in the context of a case where the purpose of storing the data was to making it possible to identify and prosecute attackers. Therefore, it is not surprising that the CJEU considered it “likely reasonably” that the data would be identifiable in the course of an action of the competent authorities against such attacks. However, this makes the case substantially different to other forms of processing of anonymous data.

When data is processed, for example, for online behavioral advertising, web analytics or health research, identifiers might be used to assign the data to (unknown) individuals. There might be third parties who could potentially identify such individuals (like internet service providers or doctors). However, under the test applied by the CJEU the knowledge of such third parties should only be relevant if it is “likely reasonably” that this knowledge would be used to identify the individuals. If it would be unlawful or would require disproportional effort to do so, one can argue that the data has to be considered anonymous.

Further, the argument can still be made in relation to IP addresses where the use is such that the entity storing the IP addresses would have no likely reason to lawfully require the internet service provider to disclose the identify behind the IP address.

The opposite opinion, that any third party knowledge that allows identification makes data identifiable has been clearly rejected by the CJEU. Since the European Data Protection Regulation repeats the requirement that the identification has to be “likely reasonably”, the same considerations should apply after the Regulation becomes applicable on May 25, 2018.