Home

Can dynamic IP addresses constitute personal data?

A debate has been going on for quite some years now about the question whether dynamic IP addresses constitute personal data in the sense of European data protection legislation. An IP address is the logical address of a node on the internet (be it a computer, a network device or a mobile device).

Given the limited number of available IP addresses available under the 'old' but still widely used IPv4 standard, often a single address is allocated to different devices over time.

So, the IP address that is in use for my personal internet connection today, can be allocated to my neighbour tomorrow.

Still, my internet provider can keep track of that sequence of allocations, thus allowing for the identification of - in this case - a household that is making use of that IP address for reaching out to other nodes (websites, services) on the internet.

The landmark case deciding on the question whether such a dynamic address constitutes personal data is case C-582/14 Patrick Breyer vs. Germany. The two crucial considerations regarding this question in the judgement of the Court of Justice EU are:

C-582/14 consideration 44

"The fact that the additional data necessary to identify the user of a website are held not by the online media services provider, but by that user’s internet service provider does not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46."

gdpr guide

C-582/14 consideration 49

"[...] Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."

This case was decided under the 'old' Directive 95/46, which has been replaced by the GDPR from May 25, 2018. The GDPR defines personal data as "any information relating to an identified or identifiable natural person [...]" (art. 4(1)). This definition is, in itself, still not decisive as to whether a dynamic IP address constitutes personal data. It all depends on the criteria for 'identifiable'. The Court of Justice, however, set the standard by applying the above two-step test for this identification:

(1) Party A holds the IP address, and there is a party B that can connect the dynamic IP address to a natural person.

(2) Party A has a legal means of obtaining access to the connecting data at party B.

There is no reason to assume that anything has changed in this respect after the GDPR became effective. Technologies, however, develop further. Other data collected by a website provider increase the chance of identifying natural persons, which certainly has to be taken into account when you try to decide whether IP addresses collected are subject to the GDPR regime. Obviously, if you allow users to login to your website using their e-mail address and a password, the IP addresses almost certainly will count as personal data, because it can identify an individual user.

Even if you refrain from using personal user accounts, the use of tracking pixels and the storage of user agent data (mac addresses, operating system and browser information etc.) will increase the risk of identifiability and therefore the chances of being marked as personal data. But beware, by default, a lot is being logged by web servers that you might not be aware of and you are still responsible for. An internal survey of actual data being processed by the web services you provide will help you becoming compliant with the GDPR.

Laurens Mommers
COO PrivacyPerfect