Case C-582/14, Breyer – seeing the logs from the trees in privacy law

Behind a website, there may be a log. This can record which pages have been viewed, when, and by which dynamic IP address. The legal question is whether this is a processing of ‘personal data’ under the EU’s ‘data processing’ Directive 95/46/EC?

Background
For electronic devices to communicate with each other, they need a network and a number. The number helps to ensure that data can be delivered to a device. The number comes from a part of the machine that runs the network.

Thus, in the context of telecoms, the device may be an individual’s Internet router. When the router connects to the telecoms network, it is quickly given a number by a machine (a ‘DHCP’ computer server), which is in charge of sending out numbers to devices like a router.

The number that is assigned to a device that connects to the internet is known as a ‘dynamic IP address’. This is a temporary number, which lasts for a set period of time.

For regulatory and billing reasons, the telecoms company’s computer system keeps a record of which particular dynamic IP address has been assigned to which particular device. The record is known as a ‘log’.

However, telecoms companies are not the only ones to make logs. For example, there may be a log ‘behind’ a website. This log will record which pages have been viewed, when, and by which dynamic IP address. It is a log that continues to exist after the visitor has left the website. It will exist even after the user has disconnected from the Internet. Indeed, the log containing of all this data may continue to exist indefinitely.

In the German courts
The German State runs various websites, and behind each of them is a log.

Mr Breyer has visited various websites run by the German State. He claims that the storage of data in the logs – together with the dynamic IP address – means that the German State (and/or third parties), is processing his personal data.

A general rule of data processing law is that personal data may only be processed after consent has been given. Mr Breyer points out that he has not given his consent for the logs behind the State’s websites to process his personal data.

However, it is also a plank of data processing law that consent is not required in every circumstance. Indeed, German statutory law specifically allows for the processing of personal data without the consent of the individual in certain, limited situations. In that context, Mr Breyer claims that what the German State is doing with its logs falls outside the scope of those statutory exceptions. Consequently, the State is unlawfully infringing his data protection rights and his rights to privacy.

When the matter was first raised, Mr Breyer’s allegation was denied by the German State. The State took the view that the logs to its websites formed a justifiable part of preventing and blocking network attacks. It pointed out that logs could be used in the criminal prosecution of those individuals who are responsible for network attacks.

Mr Breyer was not persuaded by the German State’s legal position and he sought an injunction to stop the State from storing the logs.

At first instance, his request for an injunction was refused. A Berlin court reasoned that despite there being a ‘processing’ of the dynamic IP address data, there was no processing of ‘personal’ data. This was because a dynamic IP address was not by itself sufficient to identify an individual; it was the telecoms company which gave out the dynamic IP address.

Mr Breyer disagreed with the court’s finding that his ‘personal’ data was not being processed. He appealed to another Berlin court, and indeed booked some legal success when that court took the view that there would be a processing of personal data if the log enabled the user of the website to be identified. That could be the case if he emailed or provided an email address bearing in his name – for then the dynamic IP address could be linked to his Email address and him. Since he would then be identifiable, there was a processing of personal data for which his consent was required.

The appellate court proceeded to consider whether the German State could process personal data without the consent of the data subject. It recalled that German legislation only allowed for this possibility in strictly limited circumstances; namely, data processing that was necessary to ensure that media could pass over a telecoms network, or where the processing had the purpose of preparing an individual’s bill. The appellate court took the view that neither ground could justify the German State’s claims that website security legitimated data processing without consent.

Neither Mr Breyer nor the German State was satisfied with the appellate court’s judgment and both appealed to the German Supreme Court.

At the German Supreme Court
The difficulty facing the German Supreme Court was the correct interpretation of the EU’s ‘data processing’ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ [1995] L281/31).

The primary issue is whether a dynamic IP address, together with the time of a download, constitutes ‘personal data’.

The concept of ‘personal data’ is defined in Article 2(a) of the data processing Directive:

‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

But what did the provision mean? The literal wording was ambiguous. Could the individual be said to be identifiable?

The opinions of legal commentators writing in German, and the judgments of both various German courts plus the CJEU itself, appeared divided on the issue of whether a dynamic IP address and the time, could constitute ‘personal data’.

The key barrier to a finding of personal data being processed was the fact that it was third parties who possessed the requisite knowledge to be able to identify an individual.

Some legal authors asserted that seen objectively, the possibility that an individual could be identified with the aid of a third party’s knowledge meant that an individual was ‘identifiable’, with the result that there was a processing of ‘personal data’. Mr Breyer’s submissions would therefore be correct.

That said, the general view expressed in the literature was that being able to access the knowledge of a third party was insufficient to constitute the processing of ‘personal data’ simply because it was disproportionately impractical, costly and labour intensive to identify an individual – the chances of identifying an individual were almost negligible.

In that context, it was the telecoms company that was assigning the dynamic IP address and it was the actor processing personal data, not the log of a website. A telecoms company could only disclose the identity ‘behind’ a dynamic IP address if there were specific legal grounds to mandate such a disclosure being made.

If, however, a dynamic IP address would indeed constitute ‘personal data’, for which the consent of the individual was required before processing could occur, then a second legal issue arose.

Namely, since the processing and storage of the dynamic IP address (together with all of the other data) continued to take place after the data subject had finished using the website, did that processing exceed the scope of what was permitted under Article 7(f) of the Directive?

The relevant provision in Article 7 of the Directive decrees:

Member States shall provide that personal data may be processed only if:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).

The unknown issue was whether that wording could support a defence of ‘website security’?

On the one hand, German law allowed data processing without consent for the purposes of ensuring media could pass over a telecoms network. Conceivably, a network could be subject to a ‘Denial of Service Attack’ which could hypothetically paralyse a website, and thus prevent any and every user from using a networked telecoms system.

On the other hand, the general opinion expressed by authors writing in German tended to shy away from such an understanding of the German statutory exceptions that permitted data processing without consent. The German statute only seemed to permit an exception for the actual use of a network or for actual billing purposes, and neither would lend support to some general ‘purpose’ of ensuring the security and functionality of a telecoms system.

Yet there was some legal doubt as to how to interpret the German legislation in light of the CJEU’s reasoning in Case C-468/10, ASNEF ECLI:EU:C:2011:777.

In Case C-468/10, ASNEF, the CJEU had explained:

29 Accordingly, it has been held that the harmonisation of those national laws is not limited to minimal harmonisation but amounts to harmonisation which is generally complete. It is upon that view that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate (Lindqvist, paragraph 96).

30 Consequently, it follows from the objective of ensuring an equivalent level of protection in all Member States that Article 7 of Directive 95/46 sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful.

31 That interpretation is corroborated by the term ‘may be processed only if’ and its juxtaposition with ‘or’ contained in Article 7 of Directive 95/46, which demonstrate the exhaustive and restrictive nature of the list appearing in that article.

32 It follows that Member States cannot add new principles relating to the lawfulness of the processing of personal data to Article 7 of Directive 95/46 or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in Article 7.

Against this backdrop, the German Supreme Court could not square the German legislation with Article 7 of the Directive; indeed the five judges wondered whether the German legislation was at all compatible with the EU legislation.

Could Article 7 of the Directive be interpreted as permitting data processing after the user has ceased using the website on the basis that this could ensure the functioning of the telecoms network?

The German Supreme Court decided to make a preliminary reference to the CJEU.

Questions Referred
According to the Curia website, the German Supreme Court has asked:

1. Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data […] — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?

2. Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?

Comment
The German Supreme Court’s reference in ‘Breyer’ downplays the extent of the CJEU’s recent case law when it comes to national derogations and limitations in respect of the protection of personal data.

Although mention is made of Case C-70/10, Scarlet Extended ECLI:EU:C:2011:771, none is made of the EU Charter or the CJEU’s recent case law in C-473/12, IPI, EU:C:2013:715; Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238.

The timing of the German Supreme Court’s reference in ‘Breyer’ is extremely propitious for it raises a number of issues which are already before the CJEU.

Namely, is it desirable for society to be able to surf the Internet anonymously? This issue is at stake in Case C-484/14, McFadden.

The ‘Breyer’ reference raises the issue of consent to processing, and the purpose of that processing. Again, this issue already forms the subject of another recent preliminary reference which has been made to the CJEU.

Equally, the rights and legitimate interests of third parties and robustness of privacy and secrecy law is at stake in the context of a preliminary reference about the enforcement of EU IP rights.

And the Breyer reference comes at a time when privacy and international trade law is the subject of a request from the European Parliament for a CJEU opinion about the new Passenger Name Record Agreement that has been concluded with Canada. According to a Resolution of the European Parliament dated 25 November 2014, the request of the European Parliament centres on whether this Agreement complies with various provisions of EU law and the EU Charter, in particular, Articles 7, 8 and 52(1) of the EU Charter as regards the right of individuals to protection of personal data.

Last week, Mr Breyer was also partially successful before the General Court. He had already tried to access documents from the EU Commission in relation to earlier data retention litigation involving Austria and Germany before the CJEU (C‑189/09, EU:C:2010:455). The General Court ruled partly against the EU Commission. See further, Case T-188/12 Patrick Breyer v Commission ECLI:EU:T:2015:124.

Update – 14 May 2015
The General Court’s judgment has been appealed to the CJEU and is docketed as C-213/15 P.

Update – 25 January 2016
The Second Chamber is due to hear the Breyer case on 25 February 2016.