Online identifiers are not always personal data
The Polish DPA's decision reprimanded a company (iSecure sp. z o.o.) for failing to comply with the data subject's access and erasure request regarding his online identifiers presumably stored by the company. We described the DPA's decision in iSecure case for INPLP in early 2022. The reprimanded company lodged a complaint against the DPA's decision. In July 2022 The Voivodeship Administrative Court in Warsaw examined iSecure’s complaint and annulled the Polish DPA's decision in which the authority stated that if an IP address is assigned for an extended time or permanently to a particular device, and that device is assigned to a specific user, it should be considered personal data under Article 4(1) GDPR.
The "game-changing" judgment
Article (4) 1 GDPR stipulates that personal data is any information relating to an identified or identifiable natural person. The Court noted that GDPR does not predetermine whether internet identifiers should always be treated as personal data or as one of the factors enabling the identification of a person. According to the Court, the Polish DPA did not sufficiently explain on what basis it determined that there was a "reasonable likelihood of identifying" the data subject in connection with the IP address and cookie ID that was stored on the website operated by the company. Furthermore, By referring to the CJEU's judgment from 2016 in the case C-582/14 (P.Breyer v. Germany), the Court reminded that in answering the question of whether specific online identifiers constitute personal data, one should take into account "all reasonably likely means ... about which it is reasonably likely" that they will be used to identify an individual. Simultaneously the Court underlined that the fact that in the Breyer case, the CJEU recognized dynamic IP addresses as personal data does mean that one can automatically classify all dynamic IP addresses held by ISP as personal data.
The Voivodeship Administrative Court in Warsaw provides a much-anticipated critique of a Polish DPA's broad approach to classifying online identifiers as personal data, regardless of the circumstances in which such information is processed. The recital 26 of the GDPR stipulates that to determine whether a natural person is identifiable, an account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. Thus one cannot predetermine (especially in a dynamic online environment) which data will be "personal data" under GDPR. Unfortunately, the judgement we described is not final, and the Supreme Administrative Court may question the Court's position in Warsaw if the Polish DPO appealed the judgement. It remains to be seen whether the more reasonable approach to classifying online identifiers as personal data will prevail.
Article provided by INPLP members: Xawery Konarski and Mateusz Kupiec (Traple Konarski poderecki & Wspólnicy, Poland)
Dr. Tobias Höllwarth (Managing Director INPLP)