Thirdly, the way a device is assigned an IP address can be either static or dynamic. ISPs have a pool of IP addresses that they are able to assign to a customer. Static IP addresses are unchanging: the device is assigned the same IP every time it connects to the internet.
Unless you have arranged to have a static IP with your provider, your IP address is not guaranteed to stay the same each time you connect to the internet. Assignments are time bound, and often rely on the hardware address of the internet gateway (eg your router). Rebooting, updating or changing your internet gateway can cause the address to change.
Individuals do not normally need to have static IP addresses. However, since ISPs only have a finite number of them to assign, they will typically charge users who would like a static IP address a fee. Businesses may do this to assist in hosting servers and/or their local networks.
Given how IP addresses work in practice, it may not always be immediately obvious how to identify a user from an IP address. Data protection law typically requires that an individual must be identifiable for data to count as personal data.
Because static IP addresses are fixed, it’s relatively straightforward to see why they ought to be considered personal data, as there is a consistent link between the IP address and the subscriber. The IP address therefore acts as an ‘identifier’ for the device and, by extension, the user of that device. On the other hand, it may not be straightforward that a dynamic and/or shared address allows for identification.
However, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) describes IP addresses as ‘online identifiers’; a digital means of identifying an individual within information, which makes it ‘identifiable’ and therefore personal data. IP addresses are also considered to be an ‘online identifer’ within recital 30 of the GDPR which explicitly lists IP addresses as an example.
That’s because ISPs are typically required to retain records and so it’s not hard for them to identify which IP address was assigned to which subscriber at any particular point in time. That’s true for both dynamic and shared IPs - with the right information, an ISP will be able to identify who was using a particular IP address at a given time.
But just because ISPs can do it, does that mean that IP addresses are always personal data? There is some interesting case law from the Court of Justice of the European Union (CJEU) on the matter.
The first important case on whether dynamic IP addresses can be considered personal data is Breyer v Bundesrepublik Deutschland (C-582/14). The case involved a German man, Patrick Breyer, who accessed several websites operated by German federal institutions and sought to legally restrain the federal government from storing his access information, including IP address. The courts established that dynamic IP addresses could constitute personal data when they can be linked with other information that identifies the user.
The identifying information in question was not held by the federal government but by the ISPs who could link the IP address to the user. Individuals would clearly be identifiable by their dynamic IP address if the information held by the ISPs was combined, but the question remained as to whether the federal government (who themselves held only the dynamic IP address) could do so, given that this would require the assistance of the ISP.
Data protection law states that, to determine whether an individual is identifiable, ‘account should be taken of all the means reasonably likely to be used’. Here, the court stated that an IP address would not constitute personal data if identification was impossible, prohibited by law or required a disproportionate amount of effort. However, under German law, website providers are capable of contacting ISPs and obtaining subscription information for specific purposes (e.g. in the event of cyber attack). The court considered this was a means reasonably likely to be used to identify the data subject.
In conclusion, storing dynamic IP addresses counts as personal data processing if a legal and reasonably likely to be used means exists to enable attribution of the IP address (even if that is by virtue of assistance from a third party).
There is currently another case from Germany pending before the CJEU about the identifiability of dynamic IP addresses. This case may go further than Breyer in understanding the ‘reasonably likely to be used’ test: do the means have to concretely exist, or is theoretical availability enough?
The German Federal Court of Justice (BundesGerichtHof, BGH) has referred several questions to the CJEU, which can be summarised as:
If the CJEU finds that an actor needs to have means to identify a data subject that are both likely to be used (question 2) and that concretely exist (question 3), then this may create a situation in which IP addresses could be personal data in the hands of one party, but not necessarily the other.
A final note on identifiability, the SRB case and the digital omnibus
The question of who can identify a person from data is currently an important topic of political debate in the EU. Another CJEU judgment, EDPS v SRB (C-413/23P), and changes to the GDPR proposed by the European Commission, go to the heart of the question of whether information sent to someone who does not have the means to attribute it is personal data processing.
The SRB case involved data sent by the Single Resolution Board (SRB, an EU body) to Deloitte (a consultancy firm). The data was pseudonymised, filtered, and aggregated prior to being sent to Deloitte, who did not have access to the key enabling them to ‘decrypt’ the pseudonyms. The data transferred (stakeholder feedback about a Spanish bank) was clearly personal data to SRB, but the question was whether the data was personal data for Deloitte, who could not identify the stakeholders.
The EDPS argued that because the ‘decryption’ key exists (even though in another’s hands and inaccessible to Deloitte), the pseudonymised information was identifiable and so must still be considered personal data to all parties. But the CJEU disagreed, stating that pseudonymisation may ‘effectively prevent persons other than the controller from identifying the data subject, in such a way that, for them, the data subject is not or is no longer identifiable [86]’.
The CJEU continued that the data would not be considered personal data to Deloitte where: (1) Deloitte was unable to remove the pseudonymisation measures; and (2) the pseudonymisation measures did in fact prevent Deloitte from attributing the data to data subjects.
The European Commission is now seeking to go even further than this judgment by allowing for organisations to make a subjective assessment themselves of whether they can (or wish to) identify people from data. This may give too much leeway to companies and may result in data being sold or shared to others who can identify people without the needed protections.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。