Reviewing the classification of IP addresses as personal data

Question for written answer E-002546/2024
to the Commission
Rule 144
Afroditi Latinopoulou (PfE)

Under Article 4 of the GDPR, IP addresses are considered 'identification numbers', thus constituting personal data. However, an IP address is simply a unique number that is assigned to devices connected to the internet. There is no direct link with natural persons. Linking an IP address with the identity of a specific person requires either the user's declared consent or a legal process to be conducted through the relevant internet service provider.

What is more, most users have a dynamic IP address that changes regularly. This is why many technologically advanced countries such as Australia, Japan and certain states in the US do not consider IP addresses to be personal data.

The fact that they are considered such in the EU has a negative impact on businesses because users have to consent to their IP address being processed, even though this address alone cannot reveal a person's identity. While we acknowledge that the user's express consent is needed for actual personal data that reveals a user's physical identity, IP addresses cannot be considered as such.

In view of this:

• 1.What solution does the Commission propose to settle the fundamental technical problem of IP addresses being considered personal data when they do not automatically reveal any personal physical attribute that would make the user identifiable?
• 2.Can the Commission make the necessary amendment to the GDPR, removing the classification of IP addresses as personal data?

Submitted: 14.11.2024