Privacy and Security TidBits

Are Dynamic IP Addresses Personal Information?

internet

What is a Dynamic IP address?

An Internet Protocol (IP) address is a series of digits assigned by an Internet Service Provider (ISP) such as Time Warner or Verizon, to each computer that accesses the internet.

Static IP addresses are permanent IP addresses, usually assigned to organizations with large networks.

Most individuals however get assigned “dynamic” IP addresses, which are IP addresses that may potentially be changed by the ISP provider when they experience a need for it, but which in practice do not change that often. Individual ISP subscribers may maintain the same dynamic IP address for long periods of time, such as eight to twelve months. Individual subscribers usually also have their dynamic IP address changed when they travel, move to a different home or a different city, or if they change their routers, or anytime they access the Internet with their device from a different network.

Dynamic IP addresses, just as static IP addresses, do not enable a link to be established between the IP address and a given computer or user. Only the ISP has access to the additional subscriber information required to establish that link.

 

Why is this a privacy issue?

Many websites collect and store static and dynamic IP addresses of the computers that visit their sites, together with the time and date of visit and use this information for marketing or other purposes, such as fraud and security monitoring.

If dynamic IP addresses are Personal Data, then all applicable laws and regulations regarding the collection and processing of personal data apply to the collection and processing of dynamic IP addresses as well.

 

Unique identifiers and Combined Identifiers

Most global privacy/data protection laws and regulations define personal data as data that not only uniquely identifies a person, such as the name of a person, but also data that, while on its own may not uniquely identify an individual, but when combined with other data, may render an individual identifiable. A simple example would be a phone number (landline and/or mobile). A phone number, on its own, does not identify an individual. However, with the use of reverse lookup tools , a phone number can be used to identify an individual, by associating a name and address with that phone number.

In other words, most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified or “identifiable” individual, whether by one unique identifier or by a combination of two or more data elements.

 

The special case of dynamic IP addresses

If a user of the website concerned has revealed his/her identity during the website consultation period, e.g. by creating a profile, then the operator of that website is able to identify the website user by linking his/her name to his/her computer’s IP address. In that case, even a dynamic IP address will most probably qualify as personal data.

What if the website user has not revealed his/her identity when visiting a website?

Is access to the IP address alone enough to identify that user?

An IP address, whether static or dynamic, can be traced back to an individual when combined with Internet subscriber information held by the ISP provider.

In case of a static IP address, the subscriber information remains the same, regardless of the date when the access to the website by that subscriber occurred.

In the case of dynamic IP addresses, one needs to know the date of access to the website in addition to the IP address of the subscriber, since dynamic IP addresses of internet connected devices tend to change over time.

The fact that additional information on date of access is needed for the identification of dynamic IP addresses renders dynamic IP addresses a tad more “unidentifiable” than static IP addresses.

However, most websites collecting IP addresses also collect time and date of access, so that the distinction between static and dynamic IP addresses from a privacy perspective is not all that significant. All one needs to identify a dynamic IP address, in addition to the subscriber data that connects it to it, is the desired time frame of the subscriber data.

 

Should your organization treat dynamic IP addresses as “Personal Information”?

The answer to this question, from a privacy/data protection compliance perspective, depends first of all on which privacy/data protection laws and regulations your organization is subject to. Usually, there has to be some connection between a country’s privacy/data protection laws and the organization in question.

Here are some questions, which may help determine these connections:

  • In which countries does your organization have a seat of business? These might be the countries whose privacy/data protection laws apply to your organization.
  • To individuals from which countries does your organization market its business? Some countries make their laws applicable to businesses that are targeting their country’s residents or citizens or both, even if the business in question has no physical presence in that country.

For example, if your organization has a seat of business in one or more of the 28 EU member states, and processes personal data in the context of that business, the EU Data Protection Directive 95/46 (the Directive) and the Member State’s national data protection laws based upon it will apply to your organization.

Under the expanded territorial applicability of the General Data Protection Regulation (GDPR), which will replace the Directive and all the Member States’ national privacy/data protection laws as of May 2018, your organization will also be subject to the GDPR if it markets to or monitors data subjects of EU Member States, even if the organization in question has no physical presence in a EU Member State.

 

Are dynamic IP addresses “personal data” under the EU Data Protection Directive? Under the GDPR?

Until recently, there was no legal clarity or certainty whether dynamic IP addresses, collected and processed by websites or third parties were Personal Data under the Directive.

However, the recent ruling of the Court of Justice of the European Union (CJEU) of October 19, 2016 in the Patrick Breyer v. Bundesrepublik Deutschland case removed all doubt: The CJEU ruled that a dynamic IP address of a website user is personal data with respect to the website operator, if that website operator has the legal means allowing it to identify the user in question with the help of additional information about that user which is held by that user’s ISP. For example, most countries allow for law enforcement (with or w/o a court order) to approach the ISP for more detailed information about who an IP address was assigned to at the time of access in case of a criminal investigation.

If for example, a website is the victim of a cyber attack, the website operator is usually able to contact the competent authorities, so that the latter can take the necessary steps to obtain the relevant IP address subscriber information from the ISP and to bring criminal proceedings.

That mere possibility for a data subject to potentially become identified through his/her device’s IP address renders the IP address into personal data. Controllers must ask themselves the following question: Is it reasonably likely that they or a third party might be able to identify an individual through the IP addresses which they collect and process, even if recourse to data held by a third party (here, the ISP) is required in order to obtain identification? If the answer is yes, the IP address is personal data and must be handled accordingly.

Since the GDPR has retained the same basic, broad definition of “personal data” as the definition of the Directive, it is reasonable to predict that the Breyer decision of the CJEU will apply to the GDPR and that dynamic IP addresses will be considered personal data under the GDPR.

 

What are the practical implications of dynamic IP addresses being considered personal information?

 Once an organization has established that it is subject to the EU Directive and/or, in a short while, to the GDPR, it must ensure that all requirements applicable to the collection and handling of personal information of data subjects are applied to the collection and handling of dynamic IP addresses of these data subjects. Some examples include notice and consent requirements, use limitations of the collected dynamic IP addresses, the provision of adequate information security to this data set, the restriction of retention periods and the restriction of cross-border transfers of and cross-border access to dynamic IP addresses.