The European Court of Justice, with the decision C‑582/14 issued on the 19th October 2016, stated that the Internet Protocol address (the “IP address”) can be considered personal data when it allows to identify users through the authorities and the ISP (the Internet Service Provider).
In that case, the question was raised a German citizen against the Federal Republic of Germany regarding the recording and the retention of that citizen’ IP address after browsing some German Federal service websites.
In order to contrast cyber-attacks and to identify hackers, the access in German websites are recorded and, at the end of the consultation, some data are recorded also, like the name of the website or the name of the file consulted, the words researched, the moment of the consultation, the volume of the transferred data, the message concerning the outcome of the consultation and the IP address of the pc from which the access has been done.
The European Court has firstly stated that an IP address is not an information referred to an identified individual, because it does not directly disclose the identity of the owner of the PC which is linked to a website neither the identity of third parties who can use the same computer. However, the Court has pointed out that the Article 2, lett. a) of the Directive 95/46 considers a person identifiable when he or she can be identified not only directly, but even indirectly. Moreover, Recital 26 of Directive 95/46/EC explains how to determine whether a person is identifiable: account should be taken of all the means likely reasonable to be used either by the controller or by any other person to identify the said person.
According to the Court, even if the information that allows the identification are not directly held by the site operators, but by the Internet provider, it does not exclude that an IP address can be considered personal data. It has to be determined whether the combination of the IP address and the names held by the Internet providers is accessible to website operators. This would not be a possibility if the person identification was forbidden by the law or impracticability, e.g. because it required a considerable time and labour costs.
Even if German national law does not allow to ISP to provide the information that allow the identification from an IP address, the Court found that there are legal instruments which allow to website operators, especially in case of cyber-attacks, to ask to the authorities those information because they are necessary to start penal proceedings. Consequently, it follows that it is possible, with the help of third parties, to identify a person based on the IP address.
The European Court of Justice stated that Article 2, lett. a) of the Directive 95/46 must be interpreted as meaning that a dynamic IP address recorded from a website is a personal data towards the website operator when the operator has legal means that allow to him to identify the person concerned through the user Internet service provider.