Today, Attorney General Campos Sánchez-Bordona has delivered his Opinion in the Patrick Breyer v Federal Republic of Germany case before the ECJ (C-582/14; you can find the Opinion here in just about any language except English)).
We recall: The Bundesgerichshof (the highest court in Germany for all civil and criminal matters) submitted to the ECJ the following two questions:
“Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1 — the Data Protection Directive — be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”
“Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”
Whereas the first question has been discussed controversially at least in Germany for more than a decade now, the second question is really interesting as it highlights a problem that those whose job it is to apply German data protection law have been dealing with for many years: The data protection provisions contained in the German Telemedia Act do not align with the Directive (95/46/EC that is) at all, are completely different from the corresponding data pProtection provisions that apply to all “non-telemedium” situations covered by the German Federal Data Protection Act, and are, finally, considerably more restrictive then both the Directive and the German Federal Data Protection Act.
As regards the first question, the Advocate General, predictably, opines that an IP address is personal data not only for the access provider (this, ECJ already decided in Scarlet Extended SA gegen Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM)) but also for the website provider who stores the IP address when a user visits his/her website, at least where and as long as the access provider still possesses the additional information that, if put together, makes the user personally identifiable.
If the ECJ decides to follow the advocate general’s opinion regarding the second of the above questions, though, we would look at an interesting 1.5 to 2 years in Germany. Of course, the new Regulation will enter into full force and effect on May 25, 2018. As from then, we will live in a fully harmonised data protection Europe (theoretically, at least). But before then, some, if not all, of the core data protection provisions that govern the collection, processing and use of personal data specific to websites and other uses of the Internet in all their shapes and forms could only be applied in accordance with the Directive, which, bluntly put, would mean that they could not be applied at all because they differ so much from the corresponding provisions of the Directive. We would then quite possibly have a situation where the Directive would have to be applied directly if we accept that it “entails [a] grant of rights to individuals” and that “the content of those rights [are] identifiable on the basis of the provisions of the [D]irective” (as per the ECH in Dori v Recreb).
To understand the Advocate General’s opinion, we need to look at section 15 (1) of the Telemedia Act, which is the provision that the second question of the Bundesgerichts refers to:
“The service provider may collect and use personal data of a user inasmuch as it is necessary in order to facilitate, and charge for, the specific use of the telemedium [i.e. the website, the email service etc.). (…)”
Therefore (as was relevant for the case before the Bundesgerichtshof), the purpose of ensuring the general operability of a website can, according to the provision, not justify the storage of IP addresses. That would all be fair and well if the Directive was not a lot more (unspecific and) liberal. Article 7 (f) of the Directive, as the Advocate General explains in his Opinion, is more generous:
“Member States shall provide that personal data may be processed only if:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).”
Section 15 (1) of the Telemedia Act, therefore, prohibits something that the Directive allows as, says the Advocate General, the purpose of ensuring the general operability of a website is a legitimate interest under Article 7 (f) of the Directive. Hence, section 15 (1) of the Telemedia Act is not in accordance with the Directive. And, applying this approach, all of the core data protection provisions of the Telemedia Act fall under the same problem. It will be interesting to see, if service providers will change their approach to IP addresses and other data they receive as a result of users accessing their websites, given that the coming Regulation appears to be more liberal as well.