European Union Court Rules that IP Addresses are Personal Data

    December 2016
    The Court of Justice of the EU (CJEU) has yet again issued an important ruling, interpreting key notions of the EU Data Protection Directive (the Directive) in its recent judgement of 19 October 2016 in the case Patrick Breyer vs. Bundesrepublik Deutschland. Whilst providing important guidance, which will remain relevant under the forthcoming EU General Data Protection Regulation (the GDPR), the ruling raises certain questions, which may need to be answered in future cases.

    Generally, the Breyer ruling serves as a timely reminder of the limited room for maneuver that national legislators have when implementing the Directive; in particular, the legal bases in Article 7. This has implications far beyond section 15 (3) of the TMG. In fact, sector-specific legislation in Germany in many cases contains provisions that set out and limit the circumstances in which personal data may be collected, processed and used in specific scenarios. All these provisions should be put under scrutiny in light of the Breyer ruling, and the legislators in Germany – but also in other Member States – will need to pay close attention to these limits when implementing the GDPR.

    This article appeared in the December edition of Privacy Law & Business.