Dynamic IP addresses are now "personal data": why you should care about it.

Dynamic IP addresses are now "personal data": why you should care about it.

The Court of Justice of the European Union (CJEU) has recently sentenced that dynamic IP addresses should be considered as personal data. This blog post will provide a brief explanation of the decision and why it is important for app developers in order to comply with the European privacy framework.

The decision in a nutshell

The case C‑582/14 (Patrick Breyer v. Bundesrepublik Deutschland) of October 19th 2016 was about «the registration and storage of the internet protocol address (‘IP address’) allocated to Mr Patrick Breyer when he accessed several internet sites run by German Federal institutions».

In this ruling the Court was asked to better interpret some articles of Directive 95/46/EC in the light of the definition of IP (Internet Protocol). The interpretation was focused only on "dynamic IP addresses", since "static IP addresses" have already been classified as personal data within the scope of Directive 95/46/EC.

A dynamic IP address is a set of numbers that changes at each new connection of a router or device to the Internet. Unlike the static IP address, the dynamic IP address do not allow you to automatically associate the identity of the user to the machine surfing on the Internet.

However, the Advocate General concluded and outlined in this case an important point:

"Article 2(a) of Directive 95/46/EC [...] must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person." (See par. 65[1], Case C‑582/14).

Let's remind the definition of personal data provided by the Directive in article 2(a):
"[...] any information relating to an identified or identifiable natural person ('data subject')";

According to this disposition, as an "identifiable natural person" you:
"[...] can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity";

As a conclusion, although dynamic IP changes during time, it can be led back to the identity of the person in a short time. This is why dynamic addresses coincide with the definition of personal data. It doesn't matter that this decision was about the interpretation of Directive 95/46/EC: the latter will be soon (May 2018) repealed and amplified by the effective entrance into force of the new General Data Protection Regulation (GDPR), demanding new requirements to individuals and businesses such as the implementation of DPOs (Data Protection Officers). GDPR will have huge violation costs if not correctly respected.

Do you want to learn more about GDPR and Health App Compliance?

Download FREE eBook now

Why you should care about it

Here is a first important implication: IP addresses are collected by many tools we all use for our websites or apps. For example, Web Application Server like Apache or Ngnix are collecting such information in their log files that they store on our servers.

Therefore one of the requirements for anyone using a web/application server is the need to show a privacy policy and inform users (see ePrivacy Directive and EU Cookie law), in addition to other administrative and technical requirements for protecting personal data. This is valid for all "personal data" such as: name and surname, photo, email address, bank details, posts on social networking websites, birthplace or your working position.

The second important implication is that anonymisation and pseudo-anonymization of data are even more difficult to achieve on your server, causing more troubles for Cloud Data Storage.

Under recital 26 of the new GDPR anonymized information can be defined as "information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable". On the other side, pseudonymization cannot be considered as a method of anonymisation, since it merely reduces the linkability of a dataset with the original identity of a data subject.
Indeed, under art. 4(5) GDPR pseudonymisation can be defined as as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person".

In other words: in order to achieve anonymisation and pseudo-anonymization you must consider now also dynamic IP addresses as a form of Personal Data.

How Chino.io helps companies with EU Health Data security compliance

Personal and especially sensitive data require protection. Companies dealing with these data should provide guarantees to users and collect consent for their processing. This is especially the case of digital health companies developing eHealth and mHealth apps, medical softwares or devices and designing wearables. If they are collecting any sensitive data, these companies need to assure a compliant health data storage and API in respect of the recent EU Privacy Law framework.

If you want to know more about how to ensure GDPR compliance for your healthcare application, GDPR storage requirement and mHealth data protection you can check our eBook!

Do you want to learn more about GDPR and Health App Compliance?

Download FREE eBook now

For more info about Chino and how to obtain full GDPR compliant and secure hosting for healthcare applications, check our website or contact us at info@chino.io.


You may also be interested in: