Study of case law on the circumstances in which IP addresses are considered personal data SMART 2010/12 D3. Final report Prepared and submitted by: time.lex CVBA Rue du Congrès 35, 1000 Brussels, Belgium Version : 1.1 Date of delivery : 2 May 2011 Executive summary The current document is the third deliverable (‘Draft Final Report’) to be produced under the contract between the European Commission and time.lex with respect to the “Study of case law on the circumstances in which IP addresses are considered personal data” (hereafter referred to as the Study). As required by the tender specifications and the contract relating to the Study, the Draft Final Report contains detailed country profiles for each Member State, in each case specifying whether specific regulations or opinions pertaining to the status of IP addresses as personal data exist, and highlighting any relevant case law that has been found. Extensive descriptions of the case law have been provided, including the factual background, decision of the court or body, and any relevant factors in making this decision. Finally, to improve the readability and usability of this report, short tables have been drafted, summarising the information that is described more extensively in the national reports. Hans Graux Brussels, 2 May 2011 2 Table of Contents Table of Contents ......................................................................................................................... 3 Introduction to the Study - objectives, scope and methodology of the Study .................................. 5 1.1 Context .............................................................................................................5 1.2 Objectives ...................................................................................................... 11 1.3 Methodology ................................................................................................. 12 Summary overview of the country reports .................................................................................. 15 2.1. Overview of regulatory clarifications ............................................................ 15 2.2. Overview of opinions and guidelines ............................................................ 19 2.3. Overview of known case law ......................................................................... 25 National and European reports ................................................................................................... 41 Austrian country profile .............................................................................................................. 42 Belgian country profile ............................................................................................................... 54 Bulgarian country profile ............................................................................................................ 63 Cyprus country profile ................................................................................................................ 68 Czech country profile .................................................................................................................. 78 Danish country profile ................................................................................................................ 81 Estonian country profile.............................................................................................................. 86 Finland country profile ............................................................................................................... 90 French country profile ................................................................................................................ 94 German country profile ............................................................................................................ 109 Greek country profile ................................................................................................................ 150 Hungarian country profile ......................................................................................................... 160 Irish country profile .................................................................................................................. 167 3 Italian country profile ............................................................................................................... 172 Latvian country profile .............................................................................................................. 190 Lithuanian country profile ......................................................................................................... 194 Luxembourg country profile ...................................................................................................... 198 Maltese country profile ............................................................................................................ 204 Netherlands country profile ...................................................................................................... 210 Polish country profile................................................................................................................ 219 Portuguese country profile ....................................................................................................... 231 Romanian country profile ......................................................................................................... 235 Slovak country profile ............................................................................................................... 240 Slovenian country profile .......................................................................................................... 243 Spanish country profile ............................................................................................................. 256 Swedish country profile ............................................................................................................ 271 United Kingdom country profile ................................................................................................ 283 EU level decisions ..................................................................................................................... 291 4 Draft Final Report Introduction to the Study - objectives, scope and methodology of the Study 1.1 Context The application of data protection rules in an electronic environment has always been a difficult balancing act. This is mainly due to the very flexible way in which electronic data can be processed for multiple purposes, by multiple actors, across multiple contexts. This flexibility is frequently at odds with the high level of security required from an effective data protection framework, which implies that the legitimacy of specific acts of data processing is strongly linked to specific purposes, actors and contexts. IP addresses are no exception to this rule. The basic discussion of whether or not (or rather: under which circumstances) IP addresses can be considered as personal data (thus falling under the scope of Data Protection Directive 95/46/EC) is as old as the Directive itself, and has not yet been conclusively settled. It was hoped by many that the recently finalized reforms1 of the Telecommunications Package2 (including notably ePrivacy Directive 2002/58/EC) 1 See See http://ec.europa.eu/information_society/policy/ecomm/tomorrow/index_en.htm; the new Directives 2009/136/EC and 2009/140/EC are to be transposed by the Member States by June 2011 (see http://eur-lex.europa.eu/JOHtml.do?uri=OJ:L:2009:337:SOM:EN:HTML) 2 Including Directive 2002/19/EC (Access Directive), Directive 2002/20/EC (Authorisation Directive), Directive 2002/21/EC (Framework Directive), Directive 2002/22/EC (Universal 5 would settle this issue, as the legal status of IP addresses is crucial for the effective protection of the online privacy of users of electronic communication networks and services. However, this has not been the case: recital 52 of the Citizens Rights Directive 2009/136/EC merely notes that “Developments concerning the use of IP addresses should be followed closely, taking into consideration the work already done by, among others, the Article 29 Working Party, and in the light of such proposals as may be appropriate”. Thus, the issue of the circumstances under which IP addresses can be legally qualified as personal data has not yet been conclusively settled, and remains dependent on the interpretation of the general European data protection framework. 1.2 EU Legal framework The aforementioned Directives 95/46/EC (Data Protection Directive) and 2002/58/EC (ePrivacy Directive) constitute the main legal framework with respect to IP addresses in Europe, it being understood that the latter has recently been amended as a part of the Telecoms Reform. Directive 95/46/EC: to what extent are IP addresses personal data? The Data Protection Directive focuses on the protection of personal data in general, with personal data being defined as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (article 2(a)). Thus, to determine the applicability of the Data Protection Directive to IP addresses, the main question is to what extent an IP address can be considered to be able to identify a natural person. Recital 26 of the Directive clarifies that, in order to determine whether a person is identifiable, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. The Service Directive), and Directive 2002/58/EC (Directive on privacy and electronic communications) 6 question of assessing if and when an IP address allows the identification of a natural person is not trivial, since a broad interpretation of recital 26 could lead to the conclusion that there is always an ‘other person’ (namely the ISP) who is reasonably likely to be capable of using the IP address to identify a subscriber. If that subscriber is a natural person or if a natural person can be linked to the subscriber by the ISP, then a strict reading of the Directive would imply that the IP address should be considered as personal data. Furthermore, the question is made more complex by the consideration that an IP address strictly speaking identifies a specific network device, rather than the individual using that device, and is generally issued only temporarily (i.e. it is not a permanent and static identifier). Thus, a very narrow reading of recital 26 might lead to the inverse conclusion, namely that the IP address typically cannot be used to identify a natural person, but only to establish and log electronic communication between two network devices. None the less, this does not allow the conclusion that an IP address cannot be considered as personal data under any circumstance, since IP addresses may be used by or attributed to a single individual for a specific period of time, thus allowing specific communication to/from an IP address to be linked to a natural person. Directive 2002/58/EC: to what extent are IP addresses traffic data and/or location data? The ePrivacy Directive (as amended) regulates inter alia how certain aspects of the general Data Protection Directive are to be applied in the electronic communications sector, e.g. through an obligation to draft security policies or by establishing breach notification obligations for telecommunications service providers. In addition to the basic concept of personal data, the E-Privacy Directive also introduced the notions of traffic data (“any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”; article 2 (b)) and location data (“any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”; Article 2 (c)). In both cases, rules determining circumstances for legitimate processing are provided. IP addresses can fall in both categories, as they are clearly processed to convey 7 electronic communication from one system to the next, and can be used as an approximate indicator of geographic location. It should be noted that these concepts of traffic and location data can also apply to IP addresses which have been assigned to network devices owned or operated by legal entities, and thus that their scope is not restricted to IP addresses which allow the identification of natural persons (unlike the notion of personal data under Directive 95/46/EC). In addition, the scope of application of the ePrivacy Directive is more narrowly defined than for the Data Protection Directive, as the former only applies to providers of electronic communications services. This excludes typical web based services from the applicability of the ePrivacy Directive, but obviously not from the Data Protection Directive. Thus, the concepts of traffic data and location data are clearly distinct and separate from the notion of personal data. 1.3 Interpretation of the European framework For the interpretation of the Data Protection Directive at the European level, the Article 29 Working Party has taken a leading role. While not strictly binding, its opinions are none the less highly authoritative, and are thus of considerable importance when judging the qualification of IP addresses as personal data. Opinion on Privacy on the Internet (2000) One of its earliest relevant opinions has been the Opinion on Privacy on the Internet (2000)3, in which it held that IP addresses processed by entities such as Internet Access Providers or managers of Local Area Networks should be considered as data relating to an identifiable person. The ability of these entities to link an IP address to a natural person was considered to be a crucial factor in this opinion: “In these cases, this means that, with the assistance of the third party responsible for the attribution, an Internet user (i.e. his/her civil identity: name, address, phone number, etc.) can be 3 See http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2000/wp37en.pdf 8 identified by reasonable means. *…+ As long as it is possible to link the logbook to the IP address of a user, this address has to be considered as personal data.” Opinion on the Concept of Personal Data (2007) In its 2007 Opinion on the Concept of Personal Data4, a more systematic approach was taken by defining generic criteria to assess whether specific data should be qualified as personal data. Again, the Working Party recalled its 2000 opinion, noting again that “"Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically “log” in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2 a) of the Directive …).” Apart from the ability to identify individuals, intent to do so was also considered to be relevant, since the log files were considered to be kept with the express intent of enabling the identification of customers, or in the words of the Working Party: “the controller anticipates that the "means likely reasonably to be used" to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data.” Inversely, where IP addresses would not be linkable to an individual (e.g. internet cafes or other anonymous internet stations), the opinion acknowledged that IP addresses might not be personal data. However, in the absence of certainty on this point (i.e. some IP addresses might be from anonymous systems whereas others might not), ISPs would be required to treat all IP information as personal data, according to the Working Party. 4 See http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf 9 Opinion on data protection issues related to search engines (2008) Issues related to the processing of IP addresses by search engine providers have been tackled in the 2008 opinion on data protection issues related to search engines5, in which the Working Party stressed the capability to establish a search history on the basis of IP addresses. While this capability is obviously limited for the reasons mentioned above (the fact that IP addresses are not inherently assigned to an individual, and that they are not static in most cases), these issues can be alleviated through the use of cookies. Globally, the various opinions of the Working Party underline that whether data qualifies as personal data would in principle depend on the fulfillment of the constituent elements of the definition of personal data by the particular circumstances under which the data (IP addresses) in question have been processed. Relevant factors when judging this qualification appear to include at a minimum: - The infrastructure available to the data controller (such as the aforementioned logs in combination with customer data); - The availability of other related data which can be combined with IP addresses to improve identifiability (such as the search history behind a specific address); - The purpose or intent behind the processing of IP addresses (such as the aforementioned example of logging with the specific intent of enabling the identification of the end user); - The context of the processing of IP addresses (such as an ISP which also operates its own content portal, on which IP addresses are only processed to suggest an appropriate initial language choice). 5 See http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf 10