Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
“40.
In that connection, it is clear from the wording of
Article 2(a) of Directive 95/46 that an identifiable person is
one who can be identified, directly or indirectly.
41.
The use by the EU legislature of the word ‘indirectly’
suggests that, in order to treat information as personal data, it is
not necessary that that information alone allows the data
subject to be identified.
42.
Furthermore, recital 26 of Directive 95/46 states that, to
determine whether a person is identifiable, account should be
taken of all the means likely reasonably to be used either by
the controller or by any other person to identify the said
person.
…
45.
However, it must be determined whether the possibility
to combine a dynamic IP address with the additional data held
by the internet service provider constitutes a means likely
reasonably to be used to identify the data subject.
46.
Thus … that would not be the case if the identification
of the data subject was prohibited by law or practically
impossible on account of the fact that it requires a
disproportionate effort in terms of time, cost and man-power,
so that the risk of identification appears in reality to be
insignificant.
47.
Although the referring court states in its order for
reference that German law does not allow the internet service
provider to transmit directly to the online media services
provider the additional data necessary for the identification of
the data subject, it seems however, subject to verifications to
be made in that regard by the referring court that, in particular,
in the event of cyber-attacks legal channels exist so that the
online media services provider is able to contact the competent
authority, so that the latter can take the steps necessary to
obtain that information from the internet service provider and
to bring criminal proceedings.
48.
Thus, it appears that the online media services provider
has the means which may likely reasonably be used in order to
identify the data subject, with the assistance of other persons,
namely the competent authority and the internet service
provider, on the basis of the IP addresses stored.
49.
Having regard to all the foregoing considerations, the
answer to the first question is that Article 2(a) of Directive
95/46 must be interpreted as meaning that a dynamic IP
address registered by an online media services provider when a
person accesses a website that the provider makes accessible to
the public constitutes personal data within the meaning of that