欧盟法院案例 | 动态IP地址构成个人数据？

Breyer had brought an action before the German civil courts for an order prohibiting the Federal Republic of Germany from storing, or arranging for third parties to store, computerised data transmitted at the end of each consultation of websites of the German federal institutions. With a view to preventing attacks and making it possible to prosecute ‘pirates’, the provider of online media services of the German federal institutions was registering data consisting in a ‘dynamic’ IP address — an IP address which changes each time there is a new connection to the internet — and the date and time when the website was accessed. Unlike static IP addresses, dynamic IP addresses do not immediately enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider. The registered data would not, in themselves, enable the online media services provider to identify the user. However, the internet service provider did have additional information which, if combined with the IP address, would make it possible for the user to be identified.

In that context, the Bundesgerichtshof (Federal Court of Justice, Germany), before which an appeal on a point of law had been brought, asked the Court whether an IP address which is stored by an online media service provider when his website is accessed constitutes personal data for that service provider.

The Court noted, first of all, that, for information to be treated as ‘personal data’ within the meaning of Article 2(a) of Directive 95/46, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person. The fact that the additional information necessary to identify the user of a website is held not by the online media services provider but by that user’s internet service provider does not, therefore, appear to preclude dynamic IP addresses registered by the online media services provider from constituting personal data within the meaning of Article 2(a) of Directive 95/46 (paragraphs 43 and 44).

Consequently, the Court found that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of Article 2(a) of Directive 95/46, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person (paragraph 49 and operative part 1).