欧盟法院案例 | 动态IP地址构成个人数据?
2022/11/27 12:07:48 数据法盟
DPOHUB何谈第3期直播预约 | 何渊:个人信息认证——数据出境的第三条道路主题:个人信息认证——数据出境的第三条道路主讲人:何渊,DPOHUB主理人,上海交大数据法律研究中心执行主任时间:2022年11月27日(本周日)晚8点开始入群预约
Patrick Breyer v. Bundesrepublik Deutschland
审理法院:欧盟法院第二法庭(The Court (Second Chamber))
案号:C-582/14, EU:C:2016:779
判决时间:2016年10月19日
核心问题
用户访问网站时,在线媒体服务商存储的IP地址是否构成用户的个人数据?
欧盟法院观点
由在线媒体服务商记录的动态IP地址构成第95/46号指令第2(a)条意义上的个人数据,就该提供商而言,其能够通过与拥有的关于该用户的额外数据相结合来识别数据主体。
说
明
说明:以下内容由中国人民大学法学院苏博晖翻译,原文来自欧盟法院于2021年公布的“个人数据保护情况说明书”(fact sheet),第12页,全文详见文末“阅读原文”。
个人数据的概念
Breyer向德国民事法院提起诉讼,要求法院下令禁止德意志联邦共和国存储或委托第三方存储其每次访问德国联邦机构网站时被传输的计算机化数据。为了防止网络攻击及追究内容抄袭成为可能,德国联邦机构的在线媒体服务提供商(Online Media Service Provider)记录了包含 “动态”IP地址(这种IP地址在每次连接到互联网时都会发生变化)以及该网站被访问的日期和时间在内的数据。与静态IP地址不同,动态IP地址不能立即通过公众可访问的文件,在特定的计算机和互联网服务提供商(Internet Service Provider)使用的网络物理连接之间建立链接。所记录的数据本身并不能使在线媒体服务提供商识别用户。然而,互联网服务提供商拥有额外的信息,如果额外信息与IP地址结合在一起,它就有可能识别用户。
Breyer向德国联邦法院(the Bundesgerichtshof)提起上诉,在这种情况下,德国联邦法院询问欧盟法院当在线媒体服务提供商的网站被访问时,其存储的IP地址是否构成用户的个人数据。
法院指出,首先,在第95/46号指令第2(a)条的意义下,要将信息视为“个人数据”,并没有要求所有能够识别数据主体的信息必须掌握在同一个主体手中。因此,即使用于识别网站用户的额外信息并非由在线媒体服务提供商持有,而是由该用户的互联网服务提供商持有,也似乎认为在线媒体服务提供商记录的动态IP地址不构成95/46号指令第2(a)条(第43和44段)意义上的个人数据。
因此,法院裁定,个人访问由在线媒体服务提供商向公众开放的网站时,如果后者能够通过合法手段借助互联网服务提供商拥有的关于该个体的额外数据识别数据主体,那么由该提供商登记的动态IP地址构成第95/46号指令第2(a)条意义上的个人数据(第49段和执行部分1)。
案例原文
Breyer had brought an action before the German civil courts for an order prohibiting the Federal Republic of Germany from storing, or arranging for third parties to store, computerised data transmitted at the end of each consultation of websites of the German federal institutions. With a view to preventing attacks and making it possible to prosecute ‘pirates’, the provider of online media services of the German federal institutions was registering data consisting in a ‘dynamic’ IP address — an IP address which changes each time there is a new connection to the internet — and the date and time when the website was accessed. Unlike static IP addresses, dynamic IP addresses do not immediately enable a link to be established, through files accessible to the public, between a given computer and the physical connection to the network used by the internet service provider. The registered data would not, in themselves, enable the online media services provider to identify the user. However, the internet service provider did have additional information which, if combined with the IP address, would make it possible for the user to be identified.
In that context, the Bundesgerichtshof (Federal Court of Justice, Germany), before which an appeal on a point of law had been brought, asked the Court whether an IP address which is stored by an online media service provider when his website is accessed constitutes personal data for that service provider.
The Court noted, first of all, that, for information to be treated as ‘personal data’ within the meaning of Article 2(a) of Directive 95/46, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person. The fact that the additional information necessary to identify the user of a website is held not by the online media services provider but by that user’s internet service provider does not, therefore, appear to preclude dynamic IP addresses registered by the online media services provider from constituting personal data within the meaning of Article 2(a) of Directive 95/46 (paragraphs 43 and 44).
Consequently, the Court found that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of Article 2(a) of Directive 95/46, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person (paragraph 49 and operative part 1).
Judgment of 19 October 2016, Breyer (C-582/14, EU:C:2016:779)
每天两块钱,实时获取全球数据合规风险预警
如需《英国ICO数据跨境六步法评估工具》PDF版,请加入圈子免费下载
招募讲师:欢迎加入DPOHUB课程平台
平台介绍:数据合规权威平台之一,数据法盟和数据保护官的专业粉丝超过10万,学员超过2万。讲师收益:权威平台的免费宣传,塑造讲师个人职业品牌及影响力;收益共享权。申请条件:只要在数据隐私、安全及治理等方面具有落地经验或理论积累,都可以申请加入。授课方式:既可以是体系性课程(每讲20-30分钟),也可以是一次在线讲座(60-90分钟)。申请方式:请将“简历、课程名称及大纲”发送到微信:heguilvshi 或邮箱:11535782@qq.com
源网页 http://weixin.100md.com
返回 数据法盟 返回首页 返回百拇医药