IP addresses as personal data (Breyer)
An IP address is a numerical label assigned to a device. It can be (always the same) or (changes each startup). Following Scarlet Extended, both are personal data in the hands of ISPs. The key case is Breyer v Germany: applying Recital 26 ('all the means likely reasonably to be used... by the controller or by any other person'), the CJEU held even dynamic IP addresses can be personal data in the hands of others (e.g. the German state) where they can lawfully obtain the identifying information from an ISP.
| Holder / type | Personal data? | Reasoning |
|---|---|---|
| ISP - static or dynamic (Scarlet Extended) | Yes | The ISP can link the IP to a particular customer |
| Website operator - static IP, no other data | Likely yes | Can build a profile distinguishing the user via the static IP |
| Website operator - dynamic IP, no other data | Often yes (Breyer) | Can identify the user if it can lawfully obtain extra info from the ISP |
Breyer turned on Recital 26: to decide if a person is identifiable, account is taken of all means likely reasonably to be used by the controller OR by any other person. German law let the state get the identifying info from ISPs in cyber-attack cases - so even dynamic IPs were personal data in the state's hands. This logic extends to many civil and commercial situations where a court can order disclosure.