Breyer v Bundesrepublik Deutschland
Case date: 19/10/2016
Area/s of law: Data protection
Mr Breyer, a German national, accessed websites operated by the German Federal institutions’ online media services provider (OMSP). When accessed, these websites stored information including the IP address of the accessing computer. The reason for storing this information was to prevent attacks on websites and to facilitate the prosecution of attackers. The IP addresses stored were “dynamic” addresses, which changed each time there was a new connection to the internet. Mr Breyer brought proceedings before the German courts, seeking an order restraining the Federal Republic of Germany from storing, or arranging for third parties to store, the IP addresses of computers accessing the Federal institutions’ websites (except insofar as necessary to restore services in the event of a fault).
The German Federal Court of Justice referred two questions for determination by the CJEU:
(1) Whether a dynamic IP address collected by an OMSP constitutes personal data within the meaning of the Data Protection Directive (“DPD”), where only a third party (in this case, the internet service provider (“ISP”)) has the additional data necessary to identify the individual from that IP address.
(2) Whether the DPD precluded Member State legislation under which OMSPs could collect and use the personal data of a website user, without his or her consent, only insofar as that was necessary to facilitate and charge for specific use of the website, and not beyond the end of that specific use for the purpose of ensuring the general security and operability of online media services.
As to question (1), the CJEU held that a dynamic IP address did constitute personal data under the DPD in those circumstances. As to question (2), the CJEU held that the relevant provision under German law was precluded by Art.7(f) DPD.
Under Article 2(a) DPD, “personal data” means “any information relating to an identified or identifiable person,” the latter being a person who can be identified “directly or indirectly”: , . In Scarlet Extended SA v SABAM  ECDR 4, the ECJ had previously held that IP addresses were protected personal data where the ISP carried out both the collection and identification of users’ IP addresses: -.
It was common ground that a dynamic IP address did not constitute information relating to an “identified” person, since such an address did not directly reveal the identity of the owner or user of the computer: . The question was therefore whether it was data relating to an “identifiable” person: .
The CJEU held that recital 26 of the DPD (which requires that account be taken of “all means likely reasonably to be used either by the data controller or any other person” to identify a data subject), did not require that all the information enabling identification be in the hands of one person: . Therefore, the fact that the additional data necessary to identify the user from the dynamic IP address was in the hands of the ISP, and not the OMSP, did not preclude a finding that that IP address constituted personal data: .
What was to be determined was whether the possibility of combining the IP address with the additional data was “a means likely to be used” to identify the data subject: . The question was ultimately whether “the risk of identification appears in reality to be insignificant” and turned on issues of legality, possibility and proportionality: .
In this case, it appeared to the CJEU that in the event of cyber attacks, legal channels existed so that OMSPs could request that German authorities obtain the additional information from ISPs that would allow identification of website users: .
Regarding the second question, the CJEU noted that Art.7(f) DPD required Member States to provide for the processing of personal data if necessary for the purposes of legitimate interests pursued by the controller or third parties, except where such interests were overridden by the interests or fundamental rights of the data subject: . This formed part of an exhaustive list in Art.7 DPD of cases in which processing of personal data were to be regarded as lawful, the scope of which Member States could not amend: -.
The provision of German law at issue categorically precluded the storage of personal data beyond a specified period of use of online media, for the purpose of guaranteeing the general use of those media: . It therefore had a more restrictive scope than that of the principle laid down by Article 7(f), as it excluded the possibility of balancing the objective of ensuring the general operability of the media against the interests or rights of data subjects in individual cases: , -.