The Court of Justice of the European Union has declared that IP addresses are personal data in many circumstances – but were the right questions asked, and will the GDPR change the outcome?
On 19 October 2016, the Court of Justice of the European Union (the CJEU) delivered its highly anticipated decision in Case C-582/14 – Patrick Breyer v Germany (Breyer), concerning the definition of "personal data" under the EU Data Protection Directive 95/46/EC (the Directive). The CJEU held that IP addresses were personal data in many circumstances. But did the CJEU ask all of the right questions? In particular, the judgment discusses the question of whether it was possible for the BRD to obtain Mr Breyer's real-world identity, but does not discuss the question of whether the BRD was likely to try to identify Mr Breyer, which is very different test. Moreover, the General Data Protection Regulation appears to require courts to consider the issue of likelihood when assessing the nature of personal data. Had these issues been explored by the CJEU in Breyer, the outcome of the case may well have been different.
In the latest edition of Privacy Laws & Business – International Report, we consider these questions and analyse the practical impact that they will have on businesses.
Click here to download PDF.
Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.
This article was previously published in Privacy Laws & Business International Report February 2017 number 145 ISSN 2046-844X
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.