Source: European Parliament
The definition of personal data in Regulation (EU) 2016/679[1] (GDPR) is technologically neutral and broad to prevent creating a serious risk of circumvention of the protection of personal data[2]. Article 4(1) GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’, including an online identifier that identifies the person directly or indirectly.
Online identifiers, such as cookies and Internet Protocol (IP) addresses, combined with other information may be used to create online profiles of natural persons and identify them[3].
Whether an IP address is personal data within the meaning of Article 4(1) GDPR depends on whether it can be linked to an identified or identifiable natural person.
That is not necessarily always the case and depends on the specific circumstances of the case. In that respect, account must be taken of all the means reasonably likely to be used to identify the person, looking at all objective factors, such as the cost, the amount of time required for identification, taking into consideration available technology[4].
The Court of Justice of the EU found on several occasions that IP addresses constituted personal data because the user of the IP address could be identified by the controller at issue[5].
In the second report of the application of the GDPR[6], the Commission did not conclude that the definition of personal data should be amended.
Regardless of their nature as personal data, where IP addresses are stored or accessed from the user’s terminal equipment, Article 5(3) of Directive 2002/58/EC[7] applies.
That provision protects the confidentiality of users’ terminal equipment. It requires consent for the storage of or access to information (both personal and non-personal) stored in the terminal equipment, unless it is carried out for the sole purpose of carrying out the transmission of a communication or if it is strictly necessary for the provision of an information society service explicitly requested by the user[8].
- [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1-88.
- [2] See for more Recital 15 GDPR.
- [3] See for more Recital 30 GDPR.
- [4] See for more Recital 26 GDPR.
- [5] See for example C-470/21 and C-604/22.
- [6] Communication from the Commission to the European Parliament and the Council Second Report on the application of the General Data Protection Regulation, COM/2024/357 final.
- [7] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47, see in particular Recital 28.
- [8] See also EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.