15th Newsletter -> 15 - 21 October 2016

CJEU Defines Personal Data in the “Breyer” Case Ruling

The Court of Justice of the European Union (CJEU) issued its judgement in the Case C‑582/14 also known as the “Breyer” case, where the Court was deciding on whether a dynamic IP address could be personal data. The case was referred to the CJEU by the German Courts and the core of the dispute was the fact that the public websites of many German federal institutions store information on all access operations in log files, which is not necessarily deleted after the access is terminated. The purpose of storage of such log files is to prevent cyber-attacks.

Probably the most important preliminary questions that the CJEU answered was whether a dynamic Internet Protocol address (IP address) can be deemed personal data. An IP address is a sequence of numbers assigned by an internet service provider (ISP) to each computer that accesses the internet. IP address can be either static (permanently assigned) or dynamic, which are only temporary assigned and are quickly reassigned. Due to their nature dynamic IP addresses cannot be used to directly identify the computer from which access had been sought.

In its judgement the CJEU noted that in the event of a cyberattack the German law appears to provide an option for website operators to contact the appropriate authorities, who might then take the steps necessary to obtain information from ISPs and bring criminal proceedings. The CJEU thus concluded that dynamic IP addresses can fall under the scope of personal data if website operators have legal means that enable the identification of the person associated with the IP address with the help of additional information which that person’s internet service provider has.

Read more HERE

Read the ECJ Judgement HERE


EDPS Issues New Opinion on Online Identities

The European Data Protection Supervisor Giovanni Buttarelli this week issued his Opinion on Personal Information Management Systems (PIMS). The General Data Protection Regulation (GDPR) gives individuals an option to increase their control over how their personal data is collected and used online with its provisions on increased transparency, rights of access and data portability. But the EDPS is of the opinion that more should be done to help individuals because the data collected online can be used to build increasingly complete individual profiles and this presents an obstacle for individuals to exercise their rights or manage their personal data online.

The PIMS should allow individuals to store their personal data in secure, online storage systems and decide when and with whom to share it. Presently due to its novelty a variety of PIMS designs and business models exist. PIMS technology may help to give individuals and consumers more control over their personal data and the EDPS encourages the EU Commission to support the development of innovative digital tools such as this and take policy initiatives that inspire the development of economically viable business models to facilitate their use. Effective implementation of data protection requires technological, economical and legal initiatives, which will help us to take back control of our online identities.

Read the EDPS Statement on his Opinion HERE

Read the Full Opinion HERE