European Court of Justice rules IP addresses are personal data

Court finds details may be ‘personal’ if website can identify people using ISP data

The Court of Justice of the European Union ruled that the dynamic IP address of a website visitor constituted personal data if a website operator had the legal means allowing it to identify the visitor with additional information held by the ISP. Photograph: Thinkstock

The Court of Justice of the European Union ruled that the dynamic IP address of a website visitor constituted personal data if a website operator had the legal means allowing it to identify the visitor with additional information held by the ISP. Photograph: Thinkstock

 

In a judgment described by legal experts as having huge implications for privacy, the Court of Justice of the European Union has ruled that online identifiers known as dynamic IP (internet protocol) addresses may be personal data in certain circumstances.

IP addresses are a type of digital fingerprint that identifies a computer to a web server. Typically, an internet subscriber has one IP address associated with them or their household. A static IP address does not change. A dynamic IP address, which may be assigned to a computer by the internet service provider, changes each time the device accesses the internet.

There has been significant debate over whether they constitute personal data at all.

Website operators often record and track their users’ online behaviour for commercial purposes, but also to disclose records to law-enforcement agencies and owners of copyright-protected content upon request.

Injunction

On Wednesday, the court in Luxembourg ruled in a case referred by Germany.

Patrick Breyer had brought an action before the German courts seeking an injunction to prevent websites run by the Federal German institutions from registering and storing his IP addresses.

Mr Breyer, an MP for the Pirate Party in the Schleswig-Holstein regional parliament, brought this challenge against the German state, alleging that it was processing his personal data, in this case his IP address logs, without a legal basis.

The court ruled that the dynamic IP address of a visitor constituted personal data if a website operator had the legal means allowing it to identify the visitor concerned with additional information about him held by the internet access provider.

It found that users’ IP addresses are personal data and may be collected only where allowed by data protection law.

Bulk IP addresses

Mr Breyer noted the court had not decided on whether website operators may retain IP addresses in bulk or whether the users’ privacy rights prevail. EU law does not give specific guidance on the matter.

He called on the European Commission to amend EU legislation to specifically prohibit any blanket recording of people’s internet use by website operators.

Europe should reject the ruthless NSA [US National Security Agency] method of ‘collecting it all’ and enforce our right to freedom of information and expression in the digital age,” he said.

Mr Breyer said websites could be safe without tracking every user across every page.

“This internet stalking is about as useful as hanging a CCTV camera next to an open warehouse door. We need secure IT systems, not a general suspicion against Europe’s 400 million internet users.”

He said IP addresses had “turned out to be extremely prone to error und unreliable when used to identify users”.

“For as long as browsing the internet can result in prosecution, there is no real freedom of information and expression online.”