The European Court of Justice recently ruled in C-582/14 that a dynamic IP address may constitute personal data even if the data collector is only in possession of the actual IP address and must be get additional information from the Internet supplier to identify the user of the IP address.

Back in 2011, the European Court of Justice ruled in the famous "Scarlet case" (C-70/10). The Court found that an IP address did constitute personal data if the IP address could identify the person behind. However, the case concerned an Internet supplier's processing of IP addresses, and the Court found that the nature of the address constituted personal data because the Internet supplier is in possession of other data about the person, which - in combination with the IP address - may be used to identify that person.

Owners of website are affected

However, the recent ruling concerned owners of websites collecting the visitors' IP addresses. The decisive difference compared to the "Scarlet case" is that a third party (the Internet supplier) is in possession of the data required to identify the user of the IP address. The Court found that, in this situation, the IP address will also constitute personal data if the owner of a website can unlawfully ask the Internet provider to hand over any necessary data to identify the user of the IP address. It is not decisive in this connection whether the Internet provider does in fact provide the owner of the website with the relevant data.

Covered by the Personal Data Act

In general, the scope of the ruling is limited to the above situations, but, notwithstanding the above, it may may have far-reaching implications for the owners of websites. The mere fact that you can contact an Internet supplier to obtain the additional data required to identify the user of the IP address implies that the owners of websites must consider the Personal Data Act each time they are in contact with dynamic IP addresses.