Reprieve for IT departments as EU court rules on IP addresses

The PageFair Team EU, Privacy Leave a Comment

If you run a website, you might want to breathe a sigh of relief. A decision1 this morning from the European Court of Justice means that websites can continue to store visitor IP addresses.

The EU Court of Justice (ECJ) ruled that IP addresses are to be considered “personal data”, which are subject to the EU’s data protection rules, but hedged against causing disruption by watering down the ruling.

From the ECJ press release:

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

It would have been a shock to many if the ruling had gone the other way.2

Why this matters

The immediate impact of a decision stopping the logging of IP addresses would have been disruption to many websites and services. IT departments everywhere would have thrown up their hands in despair at the task of expunging IP addresses from systems and databases that have relied on them.

Web services routinely keep a log of their users’ IP addresses. These logs are used for numerous largely mundane and innocuous purposes, such as to provide customized features to particular users, to prevent or enable access to content, or to blacklist IP addresses involved in “denial of service” attacks against a site.

IP addresses are rather more valuable to other companies. For instance, some adtech companies use IP addresses to identify and target consumers. Netflix and other content providers rely on IP addresses to restrict the use of VPNs to access TV shows and movies in blocked countries.3

While the ruling will probably pass by unnoticed, it is clear that websites have been granted a very real (although possibly temporary4) reprieve, as the EU has been quick to act on ECJ rulings despite potentially devastating effects on companies both in Europe and elsewhere.

Share this Post

Background to the ECJ’s decision

The ECJ was asked to rule on two issues:

  1. whether an IP address is personal data,5 and
  2. whether the practice of logging IP addresses without consent was legal.6

This followed eight years of litigation in various German courts7, which initiated in an action taken against the German government by Patrick Breyer, a member of Germany’s Pirate Party.8 Breyer argued that government websites did not have an unrestricted right to indefinitely record the IP addresses of visitors without their consent.

Although IP addresses on their own are largely innocuous, Breyer gave two ways that government websites could combine IP addresses with other data to identification of an individual.

First, internet service providers (ISP) record customers’ real names and addresses, and assign their IP addresses. It is not inconceivable that a government could gain access to these records and connect a person’s real identity to their IP address.

Second, when combined with pages visited or search terms, IP addresses can provide an extensive profile of the visitor’s “political opinion, illnesses, religion, union affiliation” and more.9

The ruling

Today’s ruling will probably allow the German Supreme Court to rule against Breyer, as it effectively states that:

  1. a dynamic IP address constitutes personal data for a website operator only if it has the legal means enabling it to identify the visitor with the help of additional information from the ISP
  2. a website operator may collect and store personal data without consent for an indeterminate period so as to ensure the continued functioning of the website
CASE TIMELINE

JANUARY 3, 2008
Patrick Breyer asks Berlin local court to stop German government websites logging IP addresses
AUGUST 13, 2008
Local court dismisses case, arguing that an IP address is insufficient to identify an individual
JANUARY 31, 2013
Breyer appeals decision to Berlin district court, which orders German government to cease unrestricted logging of IP addresses
SEPTEMBER 16, 2014
German Federal Court of Justice addresses appeals from both parties
DECEMBER 17, 2014
German Federal Court of Justice refers two questions to European Court of Justice
MAY 12, 2016
Advocate General Sánchez-Bordona delivers his non-binding but influential opinion
OCTOBER 19, 2016
European Court of Justice rules that IP addresses are personal data under some circumstances

Notes:

  1. The text of the ruling is available in a range of European languages (excluding English as of the time of writing) at http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668
  2. It could have been different, if the additional clause referring to legal means had not been included, as personal data is subject to stringent protection in the EU. Interestingly, the ruling slightly diverges from an opinion of an ECJ Advocate General delivered in May. Cases before the ECJ are considered in advance by an Advocate General, who publishes a (non-binding) opinion with which the Court often agrees. In May, AG Campos Sánchez-Bordona issued an opinion on this case that agreed that dynamic IP addresses constitute personal data, but also said that these data can be processed and stored without consent in cases where this is necessary to ensure a web service’s functionality.
  3. Geolocation can work at just the country-level, making it unnecessary to track individual IP addresses, and there are ways for Netflix et al to prevent VPN abuse, especially as business entities do not enjoy the same protection as individuals, but such workarounds would take time and money.
  4. The General Data Protection Regulation could change the rights landscape once it is applied in May 2018, as it includes stringent rules on how websites can handle personal data.
  5. See http://curia.europa.eu/juris/document/document.jsf?docid=162555&doclang=EN&mode=req&occ=first (accessed October 11, 2016). Also, this is not the first time that the ECJ has concluded that IP addresses could be considered personal data. In Case C-70/10 Scarlet Extended SA v SABAM, a dispute between an ISP and a company “responsible for authorising the use by third parties of the musical works of authors, composers and editors”, the ECJ ruled that the ISP, Scarlet, could not be compelled to install a filtering system to detect and prevent the unlawful exchange of copyrighted works, as

    …the filtering system would also be liable to infringe the fundamental rights of its customers, namely their right to protection of their personal data and their right to receive or impart information, which are rights safeguarded by the Charter of Fundamental Rights of the EU. It is common ground, first, that the injunction would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data.

    However, while it opened the door to the classifying of IP addresses as personal data and was referenced in the Breyer opinion, AG Campos Sánchez-Bordona noted that the SABAM case was “in a context in which the collection and identification of IP addresses was carried out by the Internet service provider”. Today’s judgement has farther-reaching consequences: the ISPs in the SABAM case already knew who their customers are, whereas the Breyer case affects any and all websites.

  6. Or, more precisely, in accordance with the relevant provision of the German Telemedia Act, which states that a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the Telemedia Act states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.
  7. From Amtsgericht to Landgericht to Bundesgerichtshof.
  8. Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland. EUR-Lex. http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1476178592484&uri=CELEX:62014CN0582 (accessed October 11, 2016).
  9. Translated from the original German suit brought by Breyer: http://www.daten-speicherung.de/wp-content/uploads/Surfprotokollierung_2008-01-03_Klageschrift_Kl_an_AG.pdf (accessed October 12, 2016).