More information likely to be considered personal data in the UK in light of EU court ruling, says expert

Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said the ruling by the Court of Justice of the EU (CJEU), which concerned whether dynamic IP addresses constitute personal data, could serve to broaden the existing definition of personal data under the UK's Data Protection Act.

"The definition of personal data under the Data Protection Act differs from that under the Data Protection Directive," Hon said. "Under the Directive, data is ‘personal data’ if it relates to an identified or identifiable natural person who can be identified directly or indirectly. The Directive does not spell out who can identify the person. In contrast, under the Act, identifiability is based only on information held by or 'likely to come into the possession of' the data controller, and does not include other information held by third parties which could, when combined with the data held by the controller, be used to identify the person."

"The definition of personal data will be broader under the new EU General Data Protection Regulation when that comes into effect, and it is also broader under the existing Data Protection Directive than under the Act. If UK courts apply the 'autonomous concept' approach to the definition of personal data under the Data Protection Directive, as now interpreted by the CJEU, then much more data will have to be considered 'personal' in the UK," she said. “In a sense, this is moving to a position, already held by some European data protection regulators, that if anyone anywhere has information that, when combined with an organisation’s data, could identify an individual, then the organisation must treat that data as personal data – including encrypted data where the organisation may not have the decryption key.”

In its ruling, the CJEU said that website operators should treat IP addresses as personal data if internet service providers (ISPs) hold additional data that could be combined with IP addresses to identify specific users of websites and the operators have the "legal means" to access the ISPs' data and are "likely reasonably" to do so to identify individual users.

The CJEU confirmed that a dynamic IP address on its own does not constitute personal data since it "does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer".

However, it outlined circumstances in which dynamic IP addresses would be considered to be personal data, highlighting in particular the potential matching of IP addresses with other data that might identify an individual.

Whether dynamic IP addresses constitute personal data is important because personal data can only be used, shared and stored in accordance with strict data protection laws. Those restrictions do not apply if the information is not personal data.

Data protection law expert Kathryn Wynn of Pinsent Masons earlier this year said that businesses should treat IP addresses as being subject to data protection laws even if the CJEU ruled that the information is not to be automatically considered as being personal data, which it now has.

Wynn said guidance issued by data protection authorities and a UK court support a cautious approach being taken to how businesses treat IP addresses, citing the potential for IP addresses to be "used to identify individual internet users when matched together with other information".

The CJEU's ruling came in a case referred to it by the Federal Court of Justice in Germany, which asked the CJEU to help it resolve a dispute over whether the German government has the right to store an internet user's IP address when he accessed online media services on websites operated by the government.

The German court specifically asked the CJEU whether website operators that store IP addresses when device users connect to their sites can be said to be handling personal data if the businesses facilitating those device users' online access – third party ISPs – hold "the additional knowledge required in order to identify the data subject".

The CJEU's ruling involved interpreting provisions within the EU Data Protection Directive. Under the Directive, data is considered to be about an "identifiable person", and therefore personal data, if it allows that person to be identified either "directly or indirectly".

The CJEU said that those provisions mean that "in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified". The law does, however, require data controllers to take account of "all the means likely reasonably to be used either by [them] or by any other person to identify the said person" when determining if a piece of data is about an identifiable person, and therefore personal data, it said.

When conducting this assessment, data controllers must take account of information not only that they hold, but which is held by others, the CJEU said.

The law in Germany generally prohibits ISPs from transmitting "the additional data necessary for the identification of the data subject" to online media services providers in the country that hold dynamic IP addresses about users. However, an exception exists to enable data matching to take place, via a "competent authority", to identify those responsible for cyber attacks, according to the ruling.

The CJEU said that because that legal channel exists, "it appears" online media services providers in Germany have the "the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons … on the basis of the IP addresses stored".

The CJEU said that it would not be considered "likely reasonably" for website operators to use the additional data ISPs hold to identify the website users behind IP addresses "if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant".

Under German law, online media services providers can only collect and use the personal data of a user "only to the extent that that is necessary to facilitate and charge for the use of those media", according to the CJEU.

However, the CJEU ruled that such restrictions on data collection and use are precluded under the Data Protection Directive because they do not take sufficient account of the legitimate interests online media services providers in Germany have to use the data for other purposes.

The Directive permits personal data to be processed by organisations in accordance with any one of six legal conditions, only one of which involves the consent of data subjects.

One of the other lawful conditions for processing is where "processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject".

In its ruling the CJEU said: "[The Data Protection Directive] … precludes member states from excluding, categorically and in general, the possibility of processing certain categories of personal data without allowing the opposing rights and interests at issue to be balanced against each other in a particular case. Thus, member states cannot definitively prescribe, for certain categories of personal data, the result of the balancing of the opposing rights and interests, without allowing a different result by virtue of the particular circumstances of an individual case."

The German legislation "reduces the scope of the principle laid down in … [the] Directive by excluding the possibility to balance the objective of ensuring the general operability of the online media against the interests or fundamental rights and freedoms of those users", the CJEU said.