Are IP addresses personal data?

The definition of personal data in the GDPR is ‘any information relating to an identified or identifiable natural person’. IP addresses can often be linked (or can help with making a link) to a specific device. Because of how closely connected we can be to our devices, often being the sole user, they can uniquely identify us.

While there are some nuances about how IP addresses work that can complicate the identification of a device (and so a person) from an IP address, that doesn’t prevent them from qualifying as personal data. Treating IP addresses as personal data helps (in theory) to protect individuals from some of the dangers of online tracking, because it would mean that they would benefit from the protections enshrined in data protection laws like the EU’s General Data Protection Regulation (GDPR).

From 123.45.67.89 to your front door

An IP address is a bit like a postal address, but they are significantly more abstract and more transient. An IP address is not an inherent property of a device, but rather something that is assigned to it. Understanding how the link from an IP address to a person is made therefore needs more careful consideration of how they actually work.

The two types of IP address

Firstly, there are actually two different forms of IP address. The older standard (IPv4) address is represented in the format of four numbers between 0 and 255, separated by full stops. This has numerical limitations allowing for about 4 billion addresses in total, worldwide, which has not proved to be enough as the Internet has expanded rapidly. The newer standard (IPv6) takes the form of eight groups of four numbers and letters (actually hexadecimal numbers) separated by colons. IPv6 provides 128-bits of total address space, so there are about 340 undecillion IPv6 addresses.

More and more ISPs are now using IPv6 in addition to IPv4. However, despite being around since 1998, uptake of IPv6 has only recently reached 50%. You may find that your device uses both standards - and therefore has more than one IP address. Part of the reason behind the continued use of IPv4 is that IPv6 has historically required newer hardware and technical expertise, which costs money, which consumer-facing ISPs in particular may be reluctant to spend.

IPs can be shared across many devices

Secondly, an IP address can be shared across hundreds of customers of the same Internet Service Provider (ISP) using a technique called Carrier-Grade Network Address Translation (CGNAT). This is necessary when there are more customers than there are available IP addresses and means that while every device with an Internet connection has an IP address, they are not always unique to a device.

Use of CGNAT is most commonly seen in mobile/cellular providers, when your device is connected to their network, and using one of their routers

The increasing use of IPv6 is reducing the need to share IP addresses because it allows for significantly more unique addresses than IPv4. However, IPv6 addresses can still be shared using tools like NPTv6, which works similarly to CGNAT.

Sharing IP addresses with CGNAT effectively creates another network between the public internet and subscribers, which ISPs can direct traffic within. The result is that the public IP address alone simply reveals who the ISP is, not the customer.

IPs are not always stable over time

Thirdly, the way a device is assigned an IP address can be either static or dynamic. ISPs have a pool of IP addresses that they are able to assign to a customer. Static IP addresses are unchanging: the device is assigned the same IP every time it connects to the internet.

Unless you have arranged to have a static IP with your provider, your IP address is not guaranteed to stay the same each time you connect to the internet. Assignments are time bound, and often rely on the hardware address of the internet gateway (eg your router). Rebooting, updating or changing your internet gateway can cause the address to change.

Individuals do not normally need to have static IP addresses. However, since ISPs only have a finite number of them to assign, they will typically charge users who would like a static IP address a fee. Businesses may do this to assist in hosting servers and/or their local networks.

IP addresses as personal data

Given how IP addresses work in practice, it may not always be immediately obvious how to identify a user from an IP address. Data protection law typically requires that an individual must be identifiable for data to count as personal data.

Because static IP addresses are fixed, it’s relatively straightforward to see why they ought to be considered personal data, as there is a consistent link between the IP address and the subscriber. The IP address therefore acts as an ‘identifier’ for the device and, by extension, the user of that device. On the other hand, it may not be straightforward that a dynamic and/or shared address allows for identification.

However, the UK’s data protection regulator, the Information Commissioner’s Office (ICO) describes IP addresses as ‘online identifiers’; a digital means of identifying an individual within information, which makes it ‘identifiable’ and therefore personal data. IP addresses are also considered to be an ‘online identifer’ within recital 30 of the GDPR which explicitly lists IP addresses as an example.

That’s because ISPs are typically required to retain records and so it’s not hard for them to identify which IP address was assigned to which subscriber at any particular point in time. That’s true for both dynamic and shared IPs - with the right information, an ISP will be able to identify who was using a particular IP address at a given time.

But just because ISPs can do it, does that mean that IP addresses are always personal data? There is some interesting case law from the Court of Justice of the European Union (CJEU) on the matter.

Breyer v Bundesrepublik Deutschland

The first important case on whether dynamic IP addresses can be considered personal data is Breyer v Bundesrepublik Deutschland (C-582/14). The case involved a German man, Patrick Breyer, who accessed several websites operated by German federal institutions and sought to legally restrain the federal government from storing his access information, including IP address. The courts established that dynamic IP addresses could constitute personal data when they can be linked with other information that identifies the user.

The identifying information in question was not held by the federal government but by the ISPs who could link the IP address to the user. Individuals would clearly be identifiable by their dynamic IP address if the information held by the ISPs was combined, but the question remained as to whether the federal government (who themselves held only the dynamic IP address) could do so, given that this would require the assistance of the ISP.

Data protection law states that, to determine whether an individual is identifiable, ‘account should be taken of all the means reasonably likely to be used’. Here, the court stated that an IP address would not constitute personal data if identification was impossible, prohibited by law or required a disproportionate amount of effort. However, under German law, website providers are capable of contacting ISPs and obtaining subscription information for specific purposes (e.g. in the event of cyber attack). The court considered this was a means reasonably likely to be used to identify the data subject.

In conclusion, storing dynamic IP addresses counts as personal data processing if a legal and reasonably likely to be used means exists to enable attribution of the IP address (even if that is by virtue of assistance from a third party).

German Federal Court of Justice (BGH)

There is currently another case from Germany pending before the CJEU about the identifiability of dynamic IP addresses. This case may go further than Breyer in understanding the ‘reasonably likely to be used’ test: do the means have to concretely exist, or is theoretical availability enough?

The German Federal Court of Justice (BundesGerichtHof, BGH) has referred several questions to the CJEU, which can be summarised as:

1. Are dynamic IP addresses personal data when transmitted if some third party has the additional knowledge necessary to identify the data subject?
2. If not, do either the sender or the recipient need to have reasonable means likely to be used for identification for the IP address to be considered personal data (including with the assistance of a third party)?
3. If so, is it sufficient that the means likely to be used may exist or must they actually exist in factual and legal terms in the specific case?

If the CJEU finds that an actor needs to have means to identify a data subject that are both likely to be used (question 2) and that concretely exist (question 3), then this may create a situation in which IP addresses could be personal data in the hands of one party, but not necessarily the other.

A final note on identifiability, the SRB case and the digital omnibus

The question of who can identify a person from data is currently an important topic of political debate in the EU. Another CJEU judgment, EDPS v SRB (C-413/23P), and changes to the GDPR proposed by the European Commission, go to the heart of the question of whether information sent to someone who does not have the means to attribute it is personal data processing.

The SRB case involved data sent by the Single Resolution Board (SRB, an EU body) to Deloitte (a consultancy firm). The data was pseudonymised, filtered, and aggregated prior to being sent to Deloitte, who did not have access to the key enabling them to ‘decrypt’ the pseudonyms. The data transferred (stakeholder feedback about a Spanish bank) was clearly personal data to SRB, but the question was whether the data was personal data for Deloitte, who could not identify the stakeholders.

The EDPS argued that because the ‘decryption’ key exists (even though in another’s hands and inaccessible to Deloitte), the pseudonymised information was identifiable and so must still be considered personal data to all parties. But the CJEU disagreed, stating that pseudonymisation may ‘effectively prevent persons other than the controller from identifying the data subject, in such a way that, for them, the data subject is not or is no longer identifiable [86]’.

The CJEU continued that the data would not be considered personal data to Deloitte where: (1) Deloitte was unable to remove the pseudonymisation measures; and (2) the pseudonymisation measures did in fact prevent Deloitte from attributing the data to data subjects.

The European Commission is now seeking to go even further than this judgment by allowing for organisations to make a subjective assessment themselves of whether they can (or wish to) identify people from data. This may give too much leeway to companies and may result in data being sold or shared to others who can identify people without the needed protections.

Conclusion

IP addresses are essential to the functioning of the Internet. Because they can be connected to individuals, they ought to be treated as personal data at the very least by anyone who can make such an identification.

The increased rollout of IPv6 is understandable, but it may also make it easier for individuals to be identified and tracked. That may be especially the case as advertisers look to rely on ways of tracking people other than cookies.

Protecting yourself against misuse of your IP address may not be straightforward, but steps like using a VPN (or The Onion Router (Tor)) can help to stop invisible tracking of your IP address online. That’s because using a VPN adds an extra ‘hop’ to your network so that you’re browsing via the IP address of one of the VPN provider’s machines.