In a groundbreaking decision on October 19th, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses could be considered as personal data under GDPR. This follows the earlier court hearing where it was argued that it would be too unlikely that anyone could match a dynamic IP address to an individual.
What has happened is that the court have decided that it would be possible under certain circumstances for and internet service provider to be able to identify the user based on the time and data of access and match it up to other information held by the data owner and therefore in certain circumstances, such IP addresses may be subject to protection under the EU Data Protection Directive, Directive 94/46/EC which imposes an obligation on all Member States to protect persons’ right to privacy with respect to the processing of their ‘personal data’.
The judgement which can be found here , held that a dynamic IP address given to a natural person by an online media services provider, if combined with certain other data collected and stored by ISPs would allow such ISPs to identify that natural person, giving the provider ‘the legal means which enable it to identify the data subject with additional data which the Internet service provider has about that person’.
This decision means that these IP addresses must now be processed in accordance with the requirements set out in the EU Data Protection Directive.
It must be noted, however, that various EU regulators have already adopted the view that dynamic IP addresses, particularly when coupled with other information, would be tantamount to personal data.
This was one of the items in GDPR, which entered into force on the 24th of May 2016 and which should apply from the 25th May 2018. The regulation, which modernises the principles set out in the 1995 Data Protection Directive, already acknowledges the fact that IP addresses may be used to identify natural persons in its preamble.
The ruling means that data owners may need to tighten up even further their consent policies on websites.