In connection with preparations for the entry into force of the GDPR, a number of opinions have appeared, disseminated both verbally and in print, that information contained in cookies and IP addresses are personal data. These opinions were based particularly on the allegedly groundbreaking wording of the GDPR and on the judgment of the Court of Justice of the EU in the matter of Patrick Breyer v. Germany (C-582/14). These opinions were then adopted and proclaimed further, with some undertakings implementing obligations under the GDPR even for situations where the processing of personal data was not involved at all. The categorical conclusion that information contained in cookies or IP addresses are always personal data is, in our opinion, just as erroneous as the conclusion that the information “hairy dog” and “5.21 m” are never personal data. Below we shall explain why this is so.
The GDPR did not bring a new definition or expansion of the concept of personal data. Personal data thus continue to be defined as “any information relating to an identified or identifiable natural person…” (Article 4(1) GDPR). Personal data are therefore all information about a natural person whom we have already identified (we know their identity) or such information that could enable us to identify a certain natural person. This introductory part of the definition of personal data is decisive for the entire regulation in this area. Subsequently, examples of certain information that may be personal data are also given; however, these too can only be considered personal data upon fulfilment of the prerequisites set out in the basic part of the definition (we shall come to them below).
The question of on the basis of which information it is possible to identify a natural person and on the basis of which it is not yet possible must be viewed primarily relatively. That is, from the perspective of the person who possesses or has the possibility to possess the said information. Recital 23 of the GDPR also speaks in this spirit: “to ascertain whether a natural person is identifiable, account should be taken of all the means… reasonably likely to be used by the controller or by another person to identify the natural person directly or indirectly”. The means which can reasonably be expected to be used to identify a person will logically differ significantly in the case of, for example, an intelligence service and in the case of an operator of a mail order service. Recital 23 of the GDPR adds that “to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”. This relative view of the availability of information necessary for identification does not, however, necessarily mean that all such information must be in the hands of a single person (paragraph 43 of the judgment Patrick Breyer v. Germany C-582/14).
From the above it therefore follows that a set of information of identical content may be personal data for one undertaking or authority, whilst not for another. It will also depend on what further means such a person can reasonably expend on identification. If we did not view this question from the perspective of the person working with the information (relatively), but rather from the perspective of the general level of technological and intelligence capabilities available to humanity, we would arrive at absurd results. In this connection, it is appropriate to refer also to Recital 4 of the GDPR, which states that “the processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.
In this connection, it is possible to return to the above-mentioned demonstrative part of the definition of personal data in the provision of Article 4(1) GDPR. It states that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. We consider the inclusion of this incomplete list of “identifiers” in the normative text to be unfortunate. The text may, inter alia, suggest that certain information is by its very nature always personal data (objective view), and may consequently indirectly lead to the incorrect opinions outlined above.
The situation is somewhat easier if a certain natural person has already been identified (we know who specifically is concerned). Thereafter, all information that is processed about such a person is subject to regulation in the area of personal data. If therefore a certain (identified) natural person is recorded by a controller as having a hairy dog or as having jumped 5.21 m in long jump, such information is personal data.
According to the name and surname “Jan Novák”, it is not possible in the Czech Republic, without additional information, to identify a specific natural person. This consequently means that information about a name need not always be personal data (even though a name is mentioned in the definition of personal data as one of the identifiers). The same applies to the “online identifier” mentioned in the GDPR. However, if information about a name or about an online identifier is “linkable” by the controller with other information (for example, information about place of residence, year of birth, etc.) on the basis of which a specific person can be identified (in aggregate), it will constitute personal data.
Maintaining a database of all streets with descriptive numbers in the Czech Republic without information about inhabitants by a software company will not constitute processing of personal data. If this database is transferred to a mailer who begins independently to assign to individual addresses names of specific natural persons together with their telephone numbers, it will constitute processing of personal data. On the basis of the aggregate of this information, it will already be possible by ordinary means to identify a natural person. However, it should not constitute processing of personal data by the software company, which merely transfers underlying information subsequently used by another entity in the processing of personal data. A similar situation arises if a distributor of goods transfers a database of information about products to an operator of an internet shop, who subsequently assigns this transferred information to accounts of natural persons to whom a specific product has been sold.
From an IP address alone, without additional information, it is not possible to deduce who is the user of the device that connects to the network via this address. In our opinion, this applies not only in cases of dynamic IP addresses (assigned, for example, by a mobile operator to individual devices), but also in the case of so-called fixed (static) IP addresses. However, this situation is entirely different from the perspective of the internet connection provider, who has or should have had a record of which IP address was assigned to which person, that is, including IP addresses assigned to natural persons – see the judgment of the CJEU in the matter of Scarlet Extended (C-70/10). Of course, even the connection provider need not have (without more) available information about who is the specific user of a certain device in its network.
It follows from this that, similarly to how a postal address alone without a name or other identification of the addressee will not be personal data, neither should an IP address alone without other available information be personal data. This, however, naturally does not exclude situations (certainly frequent in practice) where an IP address will also form part of a set of information that will already constitute personal data.
In the area of cookies, from the perspective of the regulation of personal data, it will be primarily important what information the specific cookies carry and what other information the person handling them possesses. For example, a cookie carries only information about the user’s IP address and about websites visited by the user, whilst a marketing agency does not possess further information about this user. If it cannot reasonably be expected that the marketing agency will use further means to obtain additional information necessary for identifying the user, it should not constitute processing of personal data of these users by the marketing agency. An entirely opposite situation then arises with the operator of an internet service who, for the purpose of targeting advertising, links information contained in cookies (about the user’s IP address and about websites visited by the user) with specific user accounts of natural persons that it maintains. Here it will constitute processing of personal data with all consequences arising therefrom. Likewise, it will constitute processing of personal data if information of such a character is already stored by the operator of the website within the cookie itself on the basis of which it is possible to identify a natural person (information from a registration form, etc.). The fact that not every handling of cookies will constitute processing of personal data can also be inferred from the existence of special regulation in the area of so-called ePrivacy, which would otherwise not be needed at all. The strict regulatory requirements placed on the processing of personal data would suffice entirely and the entire discussion of these questions in the framework of preparations for the Regulation on Privacy and Electronic Communications would be practically superfluous.
In conclusion, it is appropriate to examine what is actually stated in the relatively frequently cited judgment of the CJEU in the matter of Patrick Breyer v. Germany (C-582/14). Specifically, it concerned the issue of storage of information about IP addresses of users by the Federal Republic of Germany in connection with the provision of certain online services by public authorities, that is, a situation specific to a considerable extent where the legal and factual means available to the federal government will be fundamentally disproportionate to the means available to ordinary private entities. The Court subsequently concluded that the Federal Republic of Germany “apparently has means which may reasonably be used to have the data subject identified with the help of other persons, namely the competent authority and the internet service provider, based on the stored IP addresses”. A dynamic IP address stored by the Federal Republic of Germany in connection with a person’s access to a website constitutes personal data “if it has the legal means which enable it to have the data subject identified with additional information which the internet service provider of that data subject has about that person”. However, the Court of Justice of the EU in no way challenged the above-mentioned relative view of what information constitutes personal data (the means available to the person processing such information are decisive).
From our perspective, it is therefore possible to conclude that any categorical opinions that one type of information is from a legal perspective always personal data and another type is never personal data are not correct. The same applies in full scope to information stored within cookies or to IP addresses.
Josef Aujezdský
Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – online legal advice
The article was originally published on the Lupa.cz server.
This text was translated from Czech to English using an AI translator.