Does the IP address represent personal data?
What is an IP address?
An Internet Protocol (IP) address is a unique number that identifies a computer or other hardware connected to the Internet, and connects it to others when they send information over the Internet or a local network.
Each IP address consists of several parts – the first section identifying the network, and the last section identifying the individual device, e.g. computer, server and others. The information that the IP address provides would identify the device, which in turn could link it to a particular person. That happens because of the contract concluded with an Internet provider, as far as the corresponding IP address was generated on this basis.
Depending on the user's Internet connection, the IP address can be static (same every time), which could easily reveal information about the particular user, or dynamic (different for each session), which does not automatically provide sufficient information to identify the user, unless other data is provided as well.
What is personal data?
By definition, "personal data" means any information related to an individual, who could be identified, directly or indirectly, by an identification number or by one or more specific features.
Personal data may be information disclosing personal life, employment relationships, psychological identity, economic status, social behaviour, etc. In this sense, the IP address may be considered as data related to a particular person, providing information about their social behaviour on the web, interests, contacts, etc.
Practice in Bulgaria
The Commission for Personal Data Protection accepts that the IP address itself cannot identify an individual, but in combination with other additional information, this would be possible. The IP address should be considered as personal data only when it could identify a particular person in each specific case.
The IP address as type of a network and host identification number would fall under the definition of "personal data" only if it could be linked to a particular individual.
Therefore, the IP address could be considered as personal data, as in any case it allows or helps the direct or indirect identification of an individual.
In order to comply with the law, each data administrator is obliged to process the IP address only when at least one of the specified eligibility conditions is present: consent of the individual, a statutory obligation, pursuit of legitimate interests, etc.
Practice of the European Court of Justice
The European Court of Justice has accepted that static IP addresses could fall in the scope of personal data within the meaning of Directive 95/46/EC, as far as they provide sufficient information on the history of a user and make it possible to identify him.
Mr. Breyer (a member of the Pirate Party) told the German court that the federal websites he visits, register and store his IP address and thus could get an idea of his interests. According to Mr Breyer his consent is necessary. The federal services register and store not only the date and time of visit, but also the IP address of the visitor as a tool for protection from cyber attacks and eventual prosecution of such attacks.
The Federal Supreme Court brought an action before the European Court of Justice to determine whether dynamic IP addresses are personal data of the website administrator, and thus benefit from the protection provided for such data.
Although Mr. Breyer's dynamic IP address does not allow his direct identification, it is assumed that he could be indirectly identified by the combination of his IP address and the information that the Internet provider has for him. In this case, the IP address is personal data for the data administrator (the federal services). They have the legitimate right to identify the visitor due to the additional information available to the visitor's Internet service provider. According to the European Court of Justice, the data administrator or the third party to whom the data was transferred does not need the consent of the user, if there is a legitimate aim, such as the maintenance of the website.
Importance for the business
As a conclusion, in many cases both static and dynamic IP addresses could be considered as personal data. It is necessary to comply with the rules for collecting and processing personal data. This conclusion is important for companies wishing to check their IP addresses for viruses or cyber-attacks, as well as for companies using IP addresses for online analytical, statistical and advertising purposes (e.g. in e-commerce platforms). It is advisable for any company that owns a website in Europe to assess whether it has IP addresses, which identify an individual, and to comply with the applicable protection rules.
The new Personal Data Regulation
Regulation (EU) 2016/679 for data protection comes into force in May 2018, and provides that certain categories of online data could be considered as personal data, including IP addresses. With the new rules, more data categories will be classified as personal and data administrators will be required to implement stricter data protection to prepare for the changes.