First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

IP address as personal information: Canadian and EU positions

IP addressThe October 19, 2016, judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany,[1] (the EU decision) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC of the European Parliament and provides an interesting comparison with the Canadian perspective.

In the EU decision, Mr. Breyer claimed the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may only keep to facilitate access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber–attacks such as denials of service.

The Court of Justice held that where third parties, such as Internet service providers (ISP), have subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.

Canada’s position

The European decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (OPC) of Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her Web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address.

This conclusion is consistent with an earlier OPC decision in which it held that an organization’s advertising server could not attempt to access the NetBIOS of a visitor’s computer without consent. A NetBIOS is, according to the OPC, “[a] computer’s common or ‘friendly’ name related to its Internet protocol (IP) address.”[2]

A word of caution, however, is appropriate. The OPC’s findings do not mean that consent to the collection of an IP address is always required. There may be a number of legitimate reasons for collecting this information, including those relating to security of the site. These reasons would not necessarily extend, however, to collection and use of IP addresses for advertising purposes without some form of consent.[3]


[1] ECLILEU:C:2016:779.
[2] PIPEDA Case Summary #2001-25, Office of the Privacy Commissioner of Canada
[3] The OPC’s view on when that consent must be opt-in rather than opt-out is discussed in PIPEDA Report of Findings #2015-001.

By: Julie Himo, Norton Rose Fulbright Canada LLP

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.