top of page
  • Writer's pictureMarie-Avril Roux Steinkühler

🇬🇧 - The IP address has finally been incorporated into the personal data family

In its judgement of 3 November 2016, the Court of Cassation held that an IP address[1] must be regarded as belonging to the realm of personal data[2] in accordance with articles 2 and 22 of law no. 78-17 of 6 January 1978 relating to data, files and freedoms.

In a world in which the internet and telecommunications services have become indispensable, this finding is of particular interest.

For several years now, the conflict between the protection of personal data on the one hand and the exploitation of new possibilities for storing and processing data generated by the world of the computer on the other, has intensified. Besides being the subject of heated debate at a national level, the protection of personal data in electronic form is a sensitive issue at European level.

With its ruling, the Court of Cassation put an end to a French judicial hesitation (I) albeit aligning itself with the decision of the European Court of Justice from 19 October 2016, in which IP addresses were qualified[3] as personal data[4] and, therefore as subject to the legal provisions on the protection of such data (II).

I. The Court of Cassation has put an end to a hesitant French jurisprudence ...

In the judgement in question, the LOGISNEUF group had discovered a connection made to its computer network by computers not belonging to the group. Connections were made using access codes reserved to site administrators. In order to identify the holders of the disputed IP addresses, the LOGISNEUF group applied for an investigation carried out by special authorities (juges de requêtes) on the basis of which, these IP addresses were provided to the judges.

CABINET PETERSON, an investment and management consultancy; direct competitor of LOGISNEUF and owner of the contentious IP addresses later challenged the legality of the conservation of IP addresses by the LOGISNEUF group. They argued that under the legal provisions that apply to the storage of personal data, an appropriate declaration should have been made to the CNIL.

In its judgement, the Court of Cassation stated that "the (...) IP addresses are personal data, so their collection constitutes the processing of personal data and is subject to a prior declaration to the CNIL".[5]

By this finding, the Court overturns not only the judgement of 28 April 2015 made by the Rennes Court of Appeal, which ruled that an IP address did not constitute personal data, that it "refers to a computer and not to the user"[6], but it terminates an intense French jurisprudential debate.

In 2007, the High Court of Saint-Brieuc considered that the IP address associated with the internet service provider (ISP), constituted the means with which to identify the user name and therefore, the information gathered was indeed personal data.[7] However, in the same year, the Paris Court of Appeal had defended the opposite position by stating that the IP address "does not constitute indirectly personal data in respect of the person, the address relating to a machine and not to the individual who uses the computer (...)."[8]

Then a year later, the Rennes Court of Appeal was still opposed to the last position taken by the Court of Appeal of Paris, arguing that even "if [the IP address] does not by itself identify the owner of the computer or the user who used the computer and made the files available, it acquires nominative characteristics as it can simply be compared with the subscriber base held by the ISP."[9] The judgement was repealed on January 13, 2009 without, however, the Supreme Court expressly ruling on the qualification of IP addresses.[10]

The Council of State, for its part, had, in a decision made on 11 March 2015, considered that unique identifiers and IP addresses represent personal data and that they would in this case have been collected with the prior consent of the user.[11]

Finally, the judgement of November 3, 2016 seems to end this judicial indecision, clearly stating the principle that IP addresses are personal data.

II. ... in line with the decision of the Court of Justice of the European Union of 19 October 2016

Moreover, the judgement seems to confirm a trend established by the Court of Justice of the European Union (ECJ), which delivered a judgement on this subject last October.

The basis of that judgement was a German dispute between Mr. Patrick Breyer and the German federal services. Mr. Breyer opposed the German courts claiming "that the websites of the German federal authorities he consulted, recorded and stored his internet protocol addresses (IP)."[12] Recording these addresses had been justified as a defence "against cyber-attacks and [to] make prosecution possible."[13]

To settle the dispute, the German Federal Court of Justice turned to the ECJ which had to decide on two questions, the first specifically concerned the qualification of IP addresses as personal data:

"1) may Article 2 a) of Directive 95/46 be interpreted as meaning that an IP address that is registered with a service provider [online media] on the occasion of access to its website constitutes personal data even if it is a third party (in this case, the service provider) who provides the additional information needed to identify the person concerned?"[14]

As for the first question, it should be noted that there is a differentiation mentioned in the question between "the service provider [online media]"[15] on one side and "the ISP [with the additional information needed to identify the person concerned]"[16] on the other.

Indeed, even though an online service provider that collects an IP address cannot access directly to the exact identity of the owner of that address, an Internet service provider (ISP) has the information necessary to make such a nominal identification.

In its judgement of 19 October 2016 the ECJ therefore specified that "a dynamic IP address registered by an (...) operator of a website (...) during consultation of its publicly accessible website is to be considered as personal data, insofar as the operator of the website has legal remedies enabling him to identify visitors using additional information available through the ISP."[17]

Thus, the ECJ emphasized that only the IP address registered by a site operator who has the legal ability to obtain the additional information necessary for a nominal identification of the user to which the IP address matches falls within the category of personal data.

This clarification is added to a previous judgement of the ECJ handed down on 24 November 2011, in which the Court already ruled that IP addresses are "protected personal data because they allow precise identification of said users." The judgement in 2011, however, confined itself to defining as personal data, IP addresses collected directly by an Internet service provider (ISP), and not ruling on IP addresses collected by operators of websites. The significant difference between the two consists in the possibility for the ISP to identify accurately the direct users behind the IP addresses. The operators of websites in turn, require additional information (available to ISPs) in order to make such a personal identification.

In its recent judgement, the ECJ maintains its restrictive approach, whereby an IP address constitutes personal data "as it allows, in conjunction with other means, the nominal identification of the internet user."[18]

Of course, the judgement of the Court of Cassation aligns itself in one respect with the decision of the ECJ. This alignment remains limited, though. Because even though it also recognises IP addresses as personal data, it does so less timidly. Thus, the Supreme Court explicitly says that even "IP addresses, which indirectly identify an individual are personal data, and so their collection constitutes the processing of personal data and must be subject to a prior declaration to the CNIL."[19] The data collector does not have to be in possession of all the elements in order to be able to reveal the identity of the IP address holder, it is sufficient that this identification can be made indirectly in order to assert that the IP addresses represent personal data, which must be protected accordingly.

The judgement of the Court of Cassation can thus be considered more protective for users than the prevailing European jurisprudence.

[1] IP address: An IP (Internet Protocol) address is an identification number assigned permanently or temporarily to each device connected to a computer network using the internet protocol.

[2] Court of Cassation, 1st civil chamber, judgement of November 3, 2016

[3] This judgement, however, refers only to dynamic IP addresses: A dynamic IP address is an IP address that changes at each new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable connections using publicly available files between a given computer and the physical connection to the network used by the ISP. Thus, only the internet service provider is in possession of the necessary information to identify the individual behind the IP address.

[4] EUR-Lex; C-582/14 JUDGEMENT OF THE COURT (second chamber), 19 October 2016

[5] Court of Cassation, 1st civil chamber, judgement of November 3, 2016

[6] CA Rennes, Commercial Division., April 28, 2015, n˚ 14/05 708

[7] High Court Saint Brieuc, September 6, 2007

[8] CA Paris, Criminal Division 13, Section A, May 15, 2007, No. 06/01954

[9] CA Rennes, 3rd chamber, May 22, 2008, No. 07/01495

[10] Supreme Court, Criminal Division, 13 January 2009, appeal no.: 08-84088

[11] Council of State, sub-sections 10 and 9 combined, March 11, 2015, No. 368624

[12] Http://

[13] Idem.

[14] EUR-Lex; C-582/14 JUDGEMENT OF THE COURT (second chamber), 19 October 2016



[17] Http://

[18] Http://

[19] Court of Cassation, 1st civil chamber, judgement of November 3, 2016


bottom of page