Background

The European Data Protection Directive (DPD) 95/46/EC and the General Data Protection Regulation (GDPR) has been enforced with the sole objective to encourage consistent free circulation of personal data while safeguarding the individual rights of the concerned persons (Reidenberg 2014). A high level of shield is ensured to the extent that unless third countries guarantees a sufficient level of protection, data transfer shall not be allowed outside EU/EEA as stipulated under Article 25 of the DPD. Such ‘adequacy’ level shall be determined based on all such circumstances that are associated with data transfer operations including international agreements, domestic laws and the ‘rule of law’ that is in force in the concerned third country as stated under Article 25 (2) DPD.

This paper critically analyses the judgment made in the Breyer’s case by Court of Justice of the European Union (CJEU). The case deals with question whether the dynamic IP address of a website visitor amounts to personal data for website publisher when the internet access provider can secure a name to that IP address (Danezis et al. 2015). It further deals with the question whether the data protection provisions under the German Telemedia Act is consistent with the EU law, given that it precludes a justification based in legitimate interests provided stipulated in Article 7(f) of the Directive.

In the context of derogation to privacy rights, the concept of legal grounds and legality for processing, which includes legitimate interests, have developed into a separate requirement for data protection.

 European Convention on Human Rights (ECHR)

In 1950, the ECHR incorporated the Right to Privacy under article 8 to ensure that the family life, home and private life of a person is respected. It prevents intrusion with the privacy right unless such intrusion amounts to a necessity in an autonomous society and is in accordance with the law. Such intrusion is conducted to satisfy certain form of compelling and particularly listed public interests.

The right to privacy stipulated under Article 8 ECHR usually ensures that private life is safeguarded and any interference with privacy is subjected to justification. This article aims at safeguarding the private life of persons except under justifiable and stringently defined circumstances. In case of an intrusion with the privacy of a person, it is crucial to establish a legal foundation and identify the legal purpose of such interference. This is important to determine whether such interference with privacy was necessary and justified. Roosendaal and Wright (2017) states that this approach adopted by the ECHR signifies that it does not set out any particular list if legal grounds but it simply emphasizes on the necessity of a statutory basis and the conditions that such legal basis is required to fulfill.

European Convention on Human Rights (ECHR)

Convention 108

The Council of Europe’s Convention 108 that was signed in 1981 established the need to protect personal data as a different concept altogether. McGeveran (2016) believes that the fundamental idea behind the evolution of such concept did not imply that processing of personal data shall always be perceived as ‘interference with privacy’ instead it was perceived as a concept that safeguards the fundamental rights and freedoms. In regards to the right of such persons to privacy, processing of personal data shall be permitted only when certain conditions are fulfilled. Jonason (2017) argues that the Convention 108 did not provide any legal grounds for processing personal data even after establishing fundamental principles for data protection law under Article 5. The provision requires that automatic processing of personal data shall be obtained and processed lawfully and in a fairly manner.

Directive 95/46/EC

When the Directive was adopted in 1995, the Directive was built based on the previous data protection instruments including Convention 108. The directive sets out additional requirements that are not mentioned in the Convention 108 where such additional requirements include six legal grounds stipulated under Article 7 of the Directive 95/46/EC.

An Internet Protocol address (IP address) is a series of binary numbers that are allocated to computers or smart phones enabling it to identify and access the electronic communications network. The IP address is passed on to the server on which the web page that has been accessed is stored. A dynamic IP address of a website visitor is defined as a part of personal data for a website publisher. The publisher obtains the statutory means to recognize the visitor with the of additional information that is available to the internet access provider.

According to Post (2017), European data protection law as in the form of 2016 Regulation and the 1995 Directive qualifies as instances of good and effective law. It sets out the minimum standards that are applicable to every situation and provides huge number of voluntary choices. Although the data protection laws are flexible and adaptable, Spiekermann et al (2015) assert that European data protection laws lack detailed standards. Majority of its provisions create broad principles but fails to implement such standards in details. In regards to sensitive data provisions, there is no standard provision that is even close to veto to certain processing activities. The protection of personal data has been identified as fundamental right in the EU Charter 2000 but the terminology used in the provisions fails to forbid the idea of dealing with personal information. In the 2015 Schrems case, the CJEU invalidated the decision of the European Commission 2000 regarding ‘adequacy’ of the EU-US Safe Harbor (SH) rules ad permitted data transfers from EU to the US for commercial purposes. The regarded the decision as invalid on the ground of ‘equivalence’ between the extent of protection prevailing in a third world country and the European data protection system. As per Article 7 of the Directive stipulates six circumstances under which the processing of personal data can be considered as lawful.

Convention 108

However, Article 7(f) of the Directive provides a flexible ground that is repeated in the GDPR. Article 7(f) is the last ground that provides circumstances where dealing out of personal data is considered legal. However, along with the other reason, the ground under article 7(f) of the Directive is not as restrictive as the other grounds. The provision permits data processing without any legal basis or consent, based only on the legal interests of the controller except where fundamental rights and interests of the data subject supersedes such legal interests. The privacy logic stipulated under Article 8 of the European Convention on Human Rights (ECHR) insists to construe the exceptions to rights restrictively and insists to provide a legal basis provided for proportionality testing and by law. There is a need to trim Article 7(f) of Directive to bring justice to the fundamental rights status that is accorded to data protection.

The Breyer case primarily deals with the definition of personal data and secondly, it is concerned about clarifying this fundamental concept in the context of European Data Protection laws. According to Geyer (2016), the CJEU already held that collection of IP addresses can be considered as personal data when the same is done by the Internet service providers like Scarlet in Case C-70/10 Scarlet Extended v Sabam [2011] ECLI:EU: C:2011:771, Legislative Framework.

As per the facts of the case, the Federal Republic of Germany deals with websites, this enables it to record the IP addresses of the website visitors. Patrick Breyer initiated legal proceedings against the Federal Republic of Germany for not ceasing obtaining IP addresses, when it was not technically necessary to store IP addresses of websites visitors on cyber security grounds.  This case was referred to the CJEU by the German Federal Court of Justice to decide two questions in issue. Firstly, whether the dynamic IP addresses of website visitors amounts to personal data for the operators of the websites within the meaning of Article 2 (a) of the Directive 95/46/EC for the public authority owner of that page where the Internet Service provider has additional knowledge that is required to classify the data subject.

Secondly, the question was if there was any specific provision under German Telemedia Act relating to data protection is consistent with the EU laws on data protection, where such provision excludes the justification provided under Article 7(f) of the Directive that is based on legitimate interests. It seeks to ascertain whether Article 7(f) of the Directive 95/46/EC excludes national legislation that permits the use of the personal data of the user without his consent. However, it permits only to the extent necessary to charge and make it possible for the particular use of the telemedium by the concerned user under which the purpose of ensuring the general functioning of the telemedium does not justify the data use after using the telemedium.

Directive 95/46/EC

In regards to the first question in issue that deals with whether ‘personal data’ includes dynamic IP address, the German government, on behalf of the Federal Republic of Germany contradicted with the plaintiff’s contention that IP addresses are subjected to the legal requirements of German data protection laws as it qualifies as persona data. The court upheld the contention of the plaintiff stating that a dynamic IP address amounts to personal data when the operator has statutory means to identify the visitor using the extra information that the operator receives from the internet service provider of the visitor.

However, Geyer (2016) argues that although the court had addressed the first question in issue directly but CJEU had only determined for the internet service providers that the IP addresses qualify as personal data as was provided in the judgment of ‘Scarlet Extended’ case. CJEU did not determine whether IP addresses are considered personal data for the online media service providers as well other than the internet service providers. However, Post (2017) asserts that the referring court was uncertain about the fact whether a dynamic IP address amounts to personal data for the Internet Service provider where the communication company offering network access deal with the additional data, when combined with the address, to identify the person accessing the web page, operated by the former.

According to the Federal Justice of German, Breyer’s IP address does not permit the website publisher to recognize Breyer directly and the website publisher can identify Breyer only if the internet service provider reveals the information about Breyer’s identity to the website publisher. The Federal Justice of Germany uses ‘objective and a relative’ approach, referring to legal scholarship in Germany, in order to determine whether IP addresses should be considered as personal data. Kaczorowska-Ireland (2016) asserts that there is an academic disagreement on the use of different approaches to determine whether personal data includes IP addresses.

As per the objective approach, the IP addresses used through the website that were at issues in this case, may be considered as personal data even if a third party that is, the internet service provider of Breyer, is only capable of identifying the data subject. On the contrary, the use of relative approach determines that IP address would form a part of personal data for the internet access provider of Breyer and not for the website publisher. CJEU states that as per the definition of personal data under the Data Protection Directive, personal data refers to any information linked to an identifiable or identified data subject or natural person. An identifiable person is a person who is subjected to identification directly or indirectly. Therefore, based on such assumptions, the court stated that the dynamic IP address of Breyer is not regarded as information that is associated with an ‘identified’ person for the website publisher. This is because the IP address does not directly disclose the identity of the natural person owning the computer from which the website was accessed or any other person who might have operated that computer.

The Breyer Case

(Koops (2014) argues that the court while determining whether IP addresses amounts to personal data did not expressly abstained from using the ‘absolute/objective’ approach. It pointed out that the concept of ‘personal data’ must be assessed using the relative/subjective approach. However, in order to address the question whether the IP address amounts to personal data, the court stated that it is not sufficient that only a third party may recognize the individual that has information about the data. The additional data possessed by the third party holds is necessary to recognize an individual is relevant if the possibility to merge this data provides a means that is likely reasonable to be used to recognize the individual. This requires that the recognition of the data subject is practically and statutorily possible for such party. In other words, it considers the party holding the data, which, in this case, the internet service provider and the existing means that are available for recognizing the individual by combining the same with the knowledge held by the third party.  

In regards to the second question, that the court decided was related to the interpretation of Article 7(f) of the Data Protection Directive which is also known as the balancing provision. Cini (2016) asserts that as per the Telemedia law in Germany, the provisions stringent when it comes to storing of IP addresses. This is because the legal provisions permit website publishers to store IP addresses only if the visitor of the website has obtained consent to store the IP address or when such storage is made for ensuring proper functioning of the website or billing purposes. According to Howorth (2014), the Data Protection Directive sets out another legal provision that permits processing of personal data if the processing is done as per the requirements stipulated in the directive. One of such requirements is that processing of personal data must be done on legal basis. Article 7 of the Directive 95/46/C lays down six legal bases that data processing should comply with in which Article 7(f) is considered as the balancing provision.

In answering to this question, CJEU highlights the points it mentioned in the judgment it made in ASNEF [2011] that dealt with the balancing provision Article 7(f) of the Directive. In ASNEF, the CJEU held that Article 7 of the Directive provides restrictive and exhaustive grounds under which data processing can regarded as legal. Further, the Member States are also prohibited from amending the scope of six principles that are stipulated under Article 7 of the Directive.

Analysis

The CJEU held that as per Article 7(f) of the Data Protection Directive prevents the Member states from not including the processing of certain categories of personal data without permitting the opposed interests and rights at issue strike a balance between each other in any particular case. The provision of Telemedia law is more constraining than the balancing provision of Article 7(f). Therefore, to answer the question raised in Breyer’s case, the CJEU held that Article 7(f) of the Data Protection Directive should be construed as one that precludes the legislation of Member State under which an online media service provider may collect and use personal data in relation to the user of such service without the user’s consent. This would take place despite the objective of the service provider would be to ensure general operability of such services and justifying the use of such data after consulting with the websites.

According to Koops and Leenes (2014), it can be said that Article 7(f) of the Directive stipulates that the legitimate interests of the controller must be balanced against the fundamental rights and freedoms of the data subject. The result of such balancing test shall significantly determine if Article 7(f) of the Directive provides a legal ground for processing data. Zuiderwijk and Janssen (2014) argue that it is an intricate assessment to conduct the balancing test as it requires assessment of number of factors. Firstly, it is important to assess what constitutes the legitimate interest that is pursued by the controller to whom data are disclosed. Secondly, it is required to examine what constitutes ‘fundamental rights and freedoms or interests’ of the data subject.

Reid (2017) asserts that the first five grounds stipulated under Article 7(f) is dependent on the consent of data subject, legal obligation and contractual arrangement or other identified grounds that are considered as legitimate. The processing of data subject on these five grounds is considered as a ‘priori legitimate grounds’ hence, it is subjected to compliance with other applicable legal provisions. In other words, it is presumed that there is a balance between various rights and interests of the data subject and that of the controller taking into account their compliance with other data protection laws. However, Reid (2017) further states that Article 7(f) requires a specific test, for cases that are do not qualify the grounds stipulated in Article 7 (a-e) of the Directive, in particular. This article ensures that beyond the other grounds, any data processing must establish that it fulfilled the balancing test, taking into consideration the fundamental rights and interests of the data subject.

Conclusion

In order to determine whether the interest of the controller is legitimate, the interest should be legitimate otherwise; it would not qualify the threshold stipulated under Article 7(f) of the Directive. The interest is considered as legitimate until the controller can attain the interest in a manner that is conformity with the data protection and other relevant laws. For instance, controllers may have a legal interest to know about the preferences of customers, as it would help them offer goods and services as per the preferences of the controllers, thus, meeting the desires and needs of the customers. In this context, Article 7(f) may be considered as an appropriate legal ground to carry out off-line and on-line activities provided there are appropriate measures. Nevertheless, this does not imply that the controllers are entitled to monitor the off-line and on-line activities of their respective customers based on Article 7(f) or combine all the data that they collected from various sources share them without any workable mechanism to object or informing them about the same. This would amount to invasion of privacy of customers resulting in overriding of the controller’s interest and rights of the data subject (Leenes et al. 2017).

Borgesius (2017) states that the Working Party on the Protection of Individuals in respect of personal data processing that is, set up by Directive 95/46/EC of the European Parliament recognizes the importance of Article 7(f) of the Directive 95/46/EC. It recognizes the usefulness of the Article 7(f) criteria, which may prevent over-reliance on other statutory grounds, if used in appropriate circumstances and are subjected to adequate safeguards. On the other hand, Storr (2017) argues that despite such usefulness, Article 7(f) should not be used as a ‘last resort’ for unexpected circumstances where other legitimate grounds stipulated under Article 7 of the Directive shall not be applicable. Moreover, this ground should not be selected automatically and neither should be extended merely because it is perceived as less restraining as compared to other grounds (Manteghi 2017).

Conclusion

From the above discussion, it can be inferred that the last ground stipulated under Article 7(f) of the Directive permits personal data processing that is needed for the legitimate interests followes by the third part or controller or to parties to whom the data is disclosed except under certain circumstances. Where such interests supersede fundamental rights and freedoms of the data subject, safeguarded under Article 1(1) of the Directive, personal data shall not be allowed to be processed. As per the studies conducted by Commission to review the Directive and based on exchange of views between national data protection authorities (DPA) have demonstrated lack of harmonized interpretation of the provision under 7(f) of the Directive. Kuner (2015) asserts  that although a true balancing test must be performed in several Member States, Article 7(f) of the Directive is often considered less constraining which makes it easier to legitimize any data processing that is usually not qualified as per the other legal grounds.

The lack of a consistent approach may lead to legal certainty and weaken the arrangement of data subjects resulting in imposition of unnecessary regulatory burdens on other organizations and businesses that operate across the borders as was observed in Breyers case. Therefore, it is about time to prepare a new general Data Protection Regulation where all the six grounds for data processing, and its relationship with other grounds for data processing is clearly comprehended and interpreted, raking into account the legitimate interests. Given that the essential right of the data subjects is at stake, it is imperative that the applicability of all the six legal grounds should be in terms of such essential rights of the data subject. Article 7(f) of the Directive should not be made easy or less constraining grounds to escape compliance with data protection law (Irion 2016).

Moreover, in Schrems case, the CJEU invalidated the SH adequacy decision because it did not find the existence of laws and practice that restricts the interference with privacy rights and data protection neither the individuals were entitled to any judicial remedies for such intrusion. This implied that restrictions to data protection shall be permitted only if there is a necessity. Further, the judgment made in ASNEF [2011] by ECJ had restricted the discretionary limits that the Member States are required to implement Article 7(f) of the Directive. The judgment in ASNEF [2011] made it clear that the Member states are prohibited to impose additional requirements with respect to the legal grounds for lawful data processing as per their national laws; otherwise, it would have substantial consequences (Granger and Irion 2014). The national court and relevant authorities are required to interpret their respective national provisions based on this ECJ judgment and if necessary, any national rules or practices that contradict with the judgment should be set aside. This judgment signifies that it is imperative to establish a clear and harmonized understanding between the European legislators and the national Data Protection Authorities (DPA) with respect to the applicability of Article 7(f) of the Directive.

Reference list

Barnard, C. and Peers, S. eds., 2017. European union law. Oxford University Press.

Borgesius, F.Z., 2017. The Breyer Case of the Court of Justice of the European Union: IP Addresses and the Personal Data Definition. Eur. Data Prot. L. Rev., 3, p.130.

Chua, H.N., Herbland, A., Wong, S.F. and Chang, Y., 2017. Compliance to personal data protection principles: A study of how organizations frame privacy policy notices. Telematics and Informatics, 34(4), pp.157-170.

Cini, M., 2016. European union politics. Oxford University Press.

Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.H., Metayer, D.L., Tirtea, R. and Schiffner, S., 2015. Privacy and Data Protection by Design-from policy to engineering. arXiv preprint arXiv:1501.03726.

De Hert, P., 2017. Data Protection’s Future without Democratic Bright Line Rules. Co-Existing with Technologies in Europe after Breyer. Eur. Data Prot. L. Rev., 3, p.20.

Geyer, F., 2016. Security versus justice?: police and judicial cooperation in the European Union. Routledge.

Granger, M.P. and Irion, K., 2014. The Court of Justice and the Data Retention Directive in Digital Rights Ireland: telling off the EU legislator and teaching a lesson in privacy and data protection. European Law Review, 39(4), pp.835-850.

Howorth, J., 2014. Security and defence policy in the European Union. Palgrave Macmillan.

Irion, K., 2016. A special regard: The Court of Justice and the fundamental rights to privacy and data protection.

Jonason, P., 2017. Online Proactive Disclosure of Personal Data by Public Authorities. A balance between transparency and protection of privacy.

Kaczorowska-Ireland, A., 2016. European union law. Routledge.

Koops, B.J. and Leenes, R., 2014. Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’provision in data-protection law. International Review of Law, Computers & Technology, 28(2), pp.159-171.

Koops, B.J., 2014. The trouble with European data protection law. International Data Privacy Law, 4(4), pp.250-261.

Kuner, C., 2015, September. The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines: Current Issues and Future Challenges. In Protecting Privacy in Private International and Procedural Law and by Data Protection (pp. 19-44). Nomos Verlagsgesellschaft mbH & Co. KG.

Leenes, R., van Brakel, R., Gutwirth, S. and De Hert, P. eds., 2017. Data Protection and Privacy: The Age of Intelligent Machines. Bloomsbury Publishing.

Manteghi, M., 2017. The Relationship between Data Protection and the Right to Privacy and the Prospects of These Rights to Counterbalance the Risks Posed by the Surveillance Society.

Maximillian Schrems v Data Protection Commissioner; joined party: Digital Rights Ireland Ltd,. [2015], (C-362/14) EU:C:2015:650

McGeveran, W., 2016. Privacy and Data Protection Law. Foundation Press.

Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14

Post, R., 2017. Data Privacy and Dignitary Privacy: Google Spain, the Right to Be Forgotten, and the Construction of the Public Sphere.

Purtova, N., 2017. The Law of Everything. Broad Concept of Personal Data and Overstretched Scope of EU Data Protection Law.

Reid, A.S., 2017. The European Court of Justice case of Breyer. Journal of Information Rights, Policy and Practice, 2(1).’

Reidenberg, J.R., 2014. The data surveillance state in the United States and Europe. Wake Forest L. Rev., 49, p.583.

Rodrigues, M., Kormann, M. and Al-Dulaimi, M., 2016. Data protection and privacy issues concerning facial image processing in public spaces. Athens Journal of Technology and Engineering, 3(1), pp.39-52.

Roosendaal, A. and Wright, J., 2017. Will data protection eventually kill privacy?.

Spiekermann, S., Acquisti, A., Böhme, R. and Hui, K.L., 2015. The challenges of personal data markets and privacy. Electronic Markets, 25(2), pp.161-167.

Storr, C. and Storr, P., 2017. Internet of Things: Right to Data from a European Perspective. In New Technology, Big Data and the Law (pp. 65-96). Springer, Singapore.

Taylor, L., Floridi, L. and van der Sloot, B., 2017. Introduction: A New Perspective on Privacy. In Group Privacy (pp. 1-12). Springer International Publishing.

Youm, K.H. and Park, A., 2016. The “Right to Be Forgotten” in European Union Law: Data Protection Balanced With Free Speech?. Journalism & mass communication quarterly, 93(2), pp.273-295.

Zuiderwijk, A. and Janssen, M., 2014. Open data policies, their implementation and impact: A framework for comparison. Government Information Quarterly, 31(1), pp.17-29.