惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

Privacy International News Feed

Humanless Resources? Uncovering AI recruitment software When algorithms go to war PI’s submission to the UN Working Group on the Use of Mercenaries Collateral Damage: Claude Mythos and the Privacy Risks of AI Key highlights of our 2026 results by season World Food Programme expand Palantir partnership Time to address the human rights implications of AI in the military domain Bad Vibes: AI coding tools and privacy issues How New EU Access to Documents Rules Can Reduce Transparency and Shield Big Tech Privacy International’s submission to the UN High Commissioner for Human Rights on the protection of human rights defenders in the digital age Collateral Damage: Grok AI and the Human Cost of Generative AI From Big Oil to Big Algorithm: Public Money in Private Models Dual-use tech: the BAE Systems example Dual-use tech: the Lockheed Martin example Voter Disenfranchisement: A Privacy Issue What is digital fingerprinting: Is my device ever truly anonymous? Moving Goalposts: Football, Facial Recognition and the Expansion of Surveillance Dangerous data The ILO Convention on decent work in the platform economy Challenging the militarisation of tech: a visual explainer PI seeks to inform inquiry of UK Joint Committee on Human Rights on human rights and AI Transparency and explainability for algorithmic decisions at work Our key achievements from 2025 Joint Statement on New Finnish Social Welfare Laws’ Human Rights Implications Privacy International’s remarks at the side event of the 61st Session of the UN Human Rights Council on the Human Rights Impacts of Using Artificial Intelligence in Countering Terrorism What does it mean when Big Tech goes to war? Privacy International & Women on Web - Securing Reproductive Justice: A Guide to Digital Privacy for Sexual and Reproductive Justice Activists
Are IP addresses personal data?
2026-03-27 · via Privacy International News Feed

IPs are not always stable over time

Thirdly, the way a device is assigned an IP address can be either static or dynamic. ISPs have a pool of IP addresses that they are able to assign to a customer. Static IP addresses are unchanging: the device is assigned the same IP every time it connects to the internet.

Unless you have arranged to have a static IP with your provider, your IP address is not guaranteed to stay the same each time you connect to the internet. Assignments are time bound, and often rely on the hardware address of the internet gateway (eg your router). Rebooting, updating or changing your internet gateway can cause the address to change.

Individuals do not normally need to have static IP addresses. However, since ISPs only have a finite number of them to assign, they will typically charge users who would like a static IP address a fee. Businesses may do this to assist in hosting servers and/or their local networks.

IP addresses as personal data

Given how IP addresses work in practice, it may not always be immediately obvious how to identify a user from an IP address. Data protection law typically requires that an individual must be identifiable for data to count as personal data.

Because static IP addresses are fixed, it’s relatively straightforward to see why they ought to be considered personal data, as there is a consistent link between the IP address and the subscriber. The IP address therefore acts as an ‘identifier’ for the device and, by extension, the user of that device. On the other hand, it may not be straightforward that a dynamic and/or shared address allows for identification.

However, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) describes IP addresses as ‘online identifiers’; a digital means of identifying an individual within information, which makes it ‘identifiable’ and therefore personal data. IP addresses are also considered to be an ‘online identifer’ within recital 30 of the GDPR which explicitly lists IP addresses as an example.

That’s because ISPs are typically required to retain records and so it’s not hard for them to identify which IP address was assigned to which subscriber at any particular point in time. That’s true for both dynamic and shared IPs - with the right information, an ISP will be able to identify who was using a particular IP address at a given time.

But just because ISPs can do it, does that mean that IP addresses are always personal data? There is some interesting case law from the Court of Justice of the European Union (CJEU) on the matter.

Breyer v Bundesrepublik Deutschland

The first important case on whether dynamic IP addresses can be considered personal data is Breyer v Bundesrepublik Deutschland (C-582/14). The case involved a German man, Patrick Breyer, who accessed several websites operated by German federal institutions and sought to legally restrain the federal government from storing his access information, including IP address. The courts established that dynamic IP addresses could constitute personal data when they can be linked with other information that identifies the user.

The identifying information in question was not held by the federal government but by the ISPs who could link the IP address to the user. Individuals would clearly be identifiable by their dynamic IP address if the information held by the ISPs was combined, but the question remained as to whether the federal government (who themselves held only the dynamic IP address) could do so, given that this would require the assistance of the ISP.

Data protection law states that, to determine whether an individual is identifiable, ‘account should be taken of all the means reasonably likely to be used’. Here, the court stated that an IP address would not constitute personal data if identification was impossible, prohibited by law or required a disproportionate amount of effort. However, under German law, website providers are capable of contacting ISPs and obtaining subscription information for specific purposes (e.g. in the event of cyber attack). The court considered this was a means reasonably likely to be used to identify the data subject.

In conclusion, storing dynamic IP addresses counts as personal data processing if a legal and reasonably likely to be used means exists to enable attribution of the IP address (even if that is by virtue of assistance from a third party).

German Federal Court of Justice (BGH)

There is currently another case from Germany pending before the CJEU about the identifiability of dynamic IP addresses. This case may go further than Breyer in understanding the ‘reasonably likely to be used’ test: do the means have to concretely exist, or is theoretical availability enough?

The German Federal Court of Justice (BundesGerichtHof, BGH) has referred several questions to the CJEU, which can be summarised as:

  1. Are dynamic IP addresses personal data when transmitted if some third party has the additional knowledge necessary to identify the data subject?
  2. If not, do either the sender or the recipient need to have reasonable means likely to be used for identification for the IP address to be considered personal data (including with the assistance of a third party)?
  3. If so, is it sufficient that the means likely to be used may exist or must they actually exist in factual and legal terms in the specific case?

If the CJEU finds that an actor needs to have means to identify a data subject that are both likely to be used (question 2) and that concretely exist (question 3), then this may create a situation in which IP addresses could be personal data in the hands of one party, but not necessarily the other.

A final note on identifiability, the SRB case and the digital omnibus

The question of who can identify a person from data is currently an important topic of political debate in the EU. Another CJEU judgment, EDPS v SRB (C-413/23P), and changes to the GDPR proposed by the European Commission, go to the heart of the question of whether information sent to someone who does not have the means to attribute it is personal data processing.

The SRB case involved data sent by the Single Resolution Board (SRB, an EU body) to Deloitte (a consultancy firm). The data was pseudonymised, filtered, and aggregated prior to being sent to Deloitte, who did not have access to the key enabling them to ‘decrypt’ the pseudonyms. The data transferred (stakeholder feedback about a Spanish bank) was clearly personal data to SRB, but the question was whether the data was personal data for Deloitte, who could not identify the stakeholders.

The EDPS argued that because the ‘decryption’ key exists (even though in another’s hands and inaccessible to Deloitte), the pseudonymised information was identifiable and so must still be considered personal data to all parties. But the CJEU disagreed, stating that pseudonymisation may ‘effectively prevent persons other than the controller from identifying the data subject, in such a way that, for them, the data subject is not or is no longer identifiable [86]’.

The CJEU continued that the data would not be considered personal data to Deloitte where: (1) Deloitte was unable to remove the pseudonymisation measures; and (2) the pseudonymisation measures did in fact prevent Deloitte from attributing the data to data subjects.

The European Commission is now seeking to go even further than this judgment by allowing for organisations to make a subjective assessment themselves of whether they can (or wish to) identify people from data. This may give too much leeway to companies and may result in data being sold or shared to others who can identify people without the needed protections.