IP addresses as personal information: the Canadian and EU positions contrasted

The October 19, 2016, judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany,¹ (the EU decision) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC of the European Parliament and provides an interesting comparison with the Canadian perspective.

In the EU decision, Mr. Breyer claimed the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may only keep to facilitate access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber-attacks such as denials of service.

The Court of Justice held that where third parties, such as Internet service providers (ISP), have subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.
 

Canada’s position

The European decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (OPC) of Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her Web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address.

This conclusion is consistent with an earlier OPC decision in which it held that an organization’s advertising server could not attempt to access the NetBIOS of a visitor’s computer without consent. A NetBIOS is, according to the OPC, “[a] computer's common or ‘friendly’ name related to its Internet protocol (IP) address.”²

A word of caution, however, is appropriate. The OPC’s findings do not mean that consent to the collection of an IP address is always required. There may be a number of legitimate reasons for collecting this information, including those relating to security of the site. These reasons would not necessarily extend, however, to collection and use of IP addresses for advertising purposes without some form of consent.³

Footnotes

1 ECLILEU:C:2016:779.

2 https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2001/pipeda-2001-025/.

3 The OPC’s view on when that consent must be opt-in rather than opt-out is discussed in PIPEDA Report of Findings #2015-001.