CJEU - C-582/14 - Breyer

From GDPRhub
Revision as of 09:39, 19 October 2024 by ManTechnologist (talk | contribs) (ManTechnologist moved page CJEU - C-582/14 - Patrick Breyer to CJEU - C-582/14 - Breyer)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-582/14 Breyer
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 1 Directive 95/46
Article 13(1) Directive 95/46
Article 2(a), (b), (d), (f) Directive 95/46
Article 3 Directive 95/46
Article 5 Directive 95/46
Article 7 Directive 95/46
Recital 26 Directive 95/46
Paragraph 12 Telemediengesetz (Law on telemedia) of 26 February 2007
Paragraph 15 Telemediengesetz (Law on telemedia) of 26 February 2007
Paragraph 3(1) of the Bundesdatenschutzgesetz (Federal Data Protection Law) 20 December 1990 (BGBl. 1990)
Decided: 19.10.2016
Parties: Patrick Breyer
Case Number/Name: C-582/14 Breyer
European Case Law Identifier: ECLI:EU:C:2016:779
Reference from: BGH (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo


The CJEU made a decision concerning the processing of personal data by a German state agency with respect to a dynamic IP address of a data subject.

English Summary

Facts

Mr. Breyer accessed several websites, which provided topical information, operated by German Federal Institutions which were accessible to the public. To prevent attacks, the sites stored information on all access operations in log files. Information stored include name of the web page, terms entered in the search fields, time of access, quantity of data transferred, an indication of whether the access was successful and the IP address of the computer that accessed the website.

Mr. Breyer brought an action before the German Administrative Court seeking an order to restrain the Federal Republic of Germany from storing his access information of his visit to the website. This first action was dismissed.

He appealed to the Court of Appeal. The court granted the injunction but only in part. The court ordered the Federal Republic of Germany to refrain from storing or arranging with third parties to store, at the end of each consultation period, information relating to Mr. Breyer's access including his IP address and any information that could result in revealing his identity. The court further stated that a dynamic IP address together with the date on which the website was accessed, where the user had revealed his identity during that consultation period, amounts to personal data since the user’s identity is tied to that particular dynamic IP address. On the other hand, the court observed stated that where Mr Breyer did not reveal his identity and only the internet service provider knew his identity the dynamic IP address doesn’t amount to personal data.

Mr Breyer and the Federal Republic of Germany each brought an appeal on a point of law before the Federal Court of Justice, Germany (Bundesgerichtshof). Mr Breyer sought to have his application for an injunction upheld in its entirety while the Federal Republic of Germany sought to have it dismissed. The Federal court stayed the proceedings and referred the following issues to the CJEU.

Dispute

The CJEU answered the following questions:

a) Whether a dynamic IP address constitutes personal data as defined under Article 2(1)(a) Directive 95/46 where a third party has additional knowledge required to identify a data subject.

b) Whether Article 7(1)(f) prevents a provision in national law that allows a service provider to collect and use personal data without the data subject’s consent for purposes of ensuring general operability of the tele-medium.

Holding

On the first question, the court reiterated personal data under Article 2(1)(a) Directive 96/45 is defined as information relating to an identified or an identifiable natural person. Also, an identifiable person is one who can be identified directly or indirectly by reference to an identification number or to one or more factors that are specific to the person’s physical, physiological, mental, economic, cultural or social identity. The court also noted that it was held in Scarlet Extended (C‑70/10), IP addresses of internet users were protected as personal data because they allowed users to be identified even though this case was concerning collection and identification of IP addresses by internet service providers. In answering this question, the court observed that a dynamic IP address alone doesn’t amount to information of an identified person but for it to fall under the definition in Article 2(1)(a) Directive 96/45 there must be additional data that can lead to the identification of a natural person. The court referred to Recital 26 Directive 95/46 which states that to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person. The referring court highlighted that German law doesn’t allow internet service providers to transmit data necessary for the identification of a data subject directly to online media services providers except in the event of cyber attacks when the online media services provider can contact a competent authority who can contact the internet service provider for such information that may help bring criminal proceedings. In light of this, the court held that an IP dynamic address is personal data where an online media services provider has legal means that enable them to identify natural persons.

On the second question, the court first examined whether the processing activities if the General Federal Institute fall under the exception under Article 3(2) Directive 95/46 of processing activities of the state in criminal law. On this, the court referred to the decisions in Lindqvist, C‑101/01 and Satakunnan Markkinapörssi and Satamedia, C‑73/07 where it was stated that activities of the state or state authorities fall under the exception in Article 3(2) Directive 96/45. In the present case, the court observed that despite the status of the German Federal Institutions as public authorities, their activities fall outside the area of state criminal law activities. On to the main question of consent, the court referred to the wording under Article 7(1)(f) Directive 96/46 that provides that personal data may be processed based on a legitimate interest of a controller or a third party, without the consent of the data subject, except where such interests are overridden by the interests, fundamental rights and freedoms of the data subject. Besides, the court referred to the judgement in ASNEF and FECEMD, C‑468/10 and C‑469/10 at paragraphs 30 and 32 where the court held that Article 7 Directive 96/45 provides an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as being lawful. Also, member states cannot add new principles relating to the lawfulness of processing personal data or impose additional requirements that have the effect of amending the scope of one of the six principles provided for in that article. This position is clearly stipulated under Article 5 Directive 95/46 which provides the margin of discretion that member states have according to Article 7 Directive 95/46. In light of this, the court observed that Paragraph 15 of TMG, if interpreted strictly, has a more restrictive scope than that stipulated under Article 7 Directive 96/45. The court held that the provision under Paragraph 15 reduces the scope of the principle laid down under Article 7 Directive 95/46 by excluding the balance of the controller’s interest and the fundamental rights and freedoms of users which call for protection under Article 1(1) Directive 95/46.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!