Dynamic IP Address is personal data


Dynamic IP Address is personal data

The European Court of Justice (ECJ) delivers a judgement on whether dynamic IP addresses are, or are not, personal data.

After a German citizen complained that certain government websites were recording his (dynamic) IP address, the courts were asked to rule on whether the EU Data Protection Directive applied to the processing of the individual's IP address.

At first glance their ruling appears to be a bit of a bombshell! 'Dynamic IP addresses are personal data' and should therefore be processed in accordance with all personal data requirements e.g. consent etc.

However, the ruling is quite clear that a dynamic IP address is only personal data where it can lead to an identifiable natural person. This would only be the case if there was other data legally available to link the IP address to an identifiable person. So, if you are an internet service provider, dynamic IP addresses will always be personal data. If you are not, then the dynamic IP address must be linked to something like a form submission or a login process which allows for a link to be created between the IP address and the identifiable person.

This judgement also addresses a 'pet topic' of mine, the interpretation of 'legitimate interests'. It's not an easy judgement to understand, but appears to suggest the 95/46 Directive should prevent national laws from giving data controllers too much leeway to continue processing personal data where it is not necessary.

Here's a link to the Judgement