IP addresses, Google, and data protection: That's why IP addresses are potentially always personally identifiable for Google

The IP address (network address) is potentially always personal data for the Google consortium. The reasons are diverse and are considered in this contribution. Therefore, the IP address, when sent to Google, is independent of national laws to be regarded as personal data.

Introduction

The ECJ ruled long ago, namely on 19.10.2016 (Case C-582/14), that IP addresses are always considered personal data when a national law allows the internet connection owner to be identified from an IP address. It is sufficient if there is an objective possibility of doing so. This also applies if several third parties would have to be involved in identifying the internet connection owner, for example the telecom and BND or in other countries then just other organizations or companies.

In Germany the BGH confirmed the judgment of the ECJ (see BGH-judgment from 16.05.2017 – VI ZR 135/13). Because in Germany it is possible within a criminal investigation to find out who the subscriber of a person of interest for criminal technical reasons is.

In other countries this may be different, because national prosecution laws of other countries can be shaped differently than in Germany.

If Google gets your IP address or mine, then it's potentially always personally identifiable. Google gets your IP address every time you visit a website from your desktop PC and this website Google Fonts or another Google tool is embedded. Even when using Google Analytics with IP anonymization, this applies. The anonymization option says according to Google that they promise not to use the IP address they always get anyway (which would be the interpretation of Google's promises, marked here as purely theoretical).

Why your IP address could potentially always be linked to you as a person, I will explain in the following.

The Google Account

Almost all of you have a Google account. This even applies if you've never created one yourself. Google simply assigns you an account when you use the Google search engine, Google Maps, or an Android smartphone (as long as it's standard and not ent-Google-t).

And that's how Google does it:

• For example, they call up the Google search engine (which you wouldn't do because there are other search engines like Ecosia, DuckDuckGo or Xayn).
• Google asks on first visit (or if you've deleted cookies beforehand), whether you agree with unnecessary data processing (the bolded formulation comes from me and is meant as a very shortened representation. To be precise, one would have to write hundreds of pages for the data processing at Google).
• Regardless of what you click on, Google always sets up an account for you and stores an identifier for you in one or more cookies. These cookies are called ENID, __Secure-ENID or also NID or IDE (or whatever, Google doesn't reveal that). For example, I'm still searching for a reliable explanation of the meaning of the cookies DV, OTZ, SOCS and AES.

They can therefore be associated with a Google account whenever you visit a page from Google, use a Google device or visit a page that has a Google service embedded or one that has a service embedded that exchanges data with Google (for example, an advertising platform that almost always operates Cookie Matching).

Using one of the mentioned cookies, Google can identify you with 100% accuracy. This works for example when a website has embedded the reCAPTCHA plugin from Google or is using the Google Maps plugin in its popular variant. As regards reCAPTCHA by Google, it should only be briefly noted that this plugin really uses many cookies with detailed specification.

A general personal connection arises from this

The Article 29 Group is the predecessor of the European Data Protection Board and enshrined in Art. 94 GDPR. This group has interpreted the GDPR and concluded that a data value can be personal if it is suitable to distinguish a person from others within a group of people. This interpretation is also represented by the Irish Data Protection Authority in its justification for the fine against WhatsApp.

Thus, a personal data situation would already be given if you can be distinguished from other people with it ("a person can be singled out from a group of persons").

A personal reference is established even more clearly when a personally related data value is present. This is given if either directly or indirectly, you can be concluded as Maxi Musterperson. A direct conclusion is especially possible through your name and your address.

An indirect conclusion is possible if you have a data value for which you could objectively identify a specific person. For example, it can be determined from a vehicle license plate who the car is registered to. You probably know that from the fine for speeding (of course only by hearsay). Also, a telephone number can be traced back to a person. Finally, this number is registered on a person. Similarly, an email address can be traced back to a person. One of my email addresses is klaus.meffert @ dr-dsgvo.de. Here there are two references to persons. Firstly, my name is in the email address. Secondly, it can be found out through a NIC query (DENIC in this case) who the domain dr-dsgvo.de was registered by. DENIC names the conditions for this, which include, for example, enforcing name and identification rights, but also a "legal infringement by websites". NIC stands for Network Information Center, DENIC for the German NIC

The more data presented about a person, the sooner it can be conclusively determined that it is a specific person. If the email address herberto.buechneri@web.de is known, along with the IP address 4711, along with the User-Agent Firefox97.Windows10.Version.1873, along with numerous visits to websites from this IP, along with the identification number of a Google account, along with the often entered address in Google Maps Wielandtstr. 999 in 66666 Frankfurt, along with the GPS coordinates from an Android smartphone, along with the telephone number