IP addresses – personal data?

February 12th, 2016

The question of how data protection rights cash out within the online environment is without doubt one of the more difficult questions which data privacy practitioners have to tackle. One major area of contention is the extent to which data protection legislation applies to ostensibly anonymous, impersonal online data. This is an issue which our own Court of Appeal considered last year in the case of Vidal-Hall v Google. In that case, the Court of Appeal readily accepted that there was at the very least a serious issue to be tried on the question of whether tracking data used by Google to track the browsing activities of Google users amounted to ‘personal data’. This was despite the fact that Google did not generally know the name of the user in question: its tracking operation entailed the tracking of individual devices, rather than named individuals. According to the Court, there was a serious issue to be tried the question of whether the tracking data amounted to ‘personal data’, particularly in view of the way in which Google’s appeared effectively to individuate end users through the use of cookie technology.

What then of IP addresses? Can they too amount to personal data, despite the fact that they may not per se themselves yield any specific name or other traditional identifier? This is the issue which the CJEU will be addressing in the forthcoming case of: Breyer (Case C-582/14), due to be heard by the CJEU on 25 February 2016. Whilst of course nothing would give me greater pleasure than to wax lyrical on the particular technical arguments which lie behind this case, I feel I must defer to this easy-to-follow analysis on EU Law Radar. But I will just point out that as long ago as 2007 the Article 29 EU Working Party was prepared to express the view that the definition of ‘personal data’ in the Data Protection Directive was wide enough to encompass IP addresses (see its Opinion 4/2007). Given the current direction of travel within Europe in terms of giving online data privacy legislation some bite, it would not be altogether surprising if the CJEU took the same view.

Anya Proops

Comments are closed.