On 12 May, the Advocate General’s (AG) opinion in Case C-582/14 Patrick Breyer v Germany was released, stating that dynamic IP addresses should be considered personal data for the purposes of EU data protection law. Although opinions of the AG are not binding on the Court of Justice of the European Union, whose full judgment is pending, they can provide an early indication of the likely outcome.
The opinion states that even if the operator of a website is unable to identify a data subject using a dynamic IP address alone, the subject may be identified when that address is used in combination with information held by the operator.
If followed by the CJEU, the practical effect of this approach is that where website operators collect and use the IP address data of individuals who access their website, they must do so in accordance with the Data Protection Directive (95/46/EC) and the forthcoming General Data Protection Regulation. In situations where only an IP address is collected by an operator (for example, for the purpose of analytics) this adds a layer of complexity, as fair notice must be given to individuals of the collection, and it must otherwise be processed only in accordance with the law.
The final decision of the CJEU will provide authoritative guidance on this issue, and is expected soon.