The European Supreme Court rules that the subscriber identity behind an IP address is personal data, making such data protected by privacy laws. However, the court rules in a very narrow context of a web site operator, and says that the protection of personal data takes second place to a so-called “legitimate objective”. This may be an important verdict for future case law, but right now, it looks rather narrow.
The European Court of Justice, the highest court in the EU, has ruled that the information about who was allocated a certain IP address at a certain time is personal data. This is a very important key word in European legislation, which means the data’s availability and use is protected by a mountain and a half of regulations and laws.
The case was brought to the European Court of Justice by Patrick Breyer, a Pirate Party MP in the German State Parliament of Schleswig-Holstein, who is also a lawyer. Mr. Breyer was suing the Federal Government of Germany to prevent them from storing and recording his every visit to federal authorities’ websites.
Under EU law, [it is illegal] for an online media services provider [to] collect and use a visitor’s personal data without their consent, [except for] to the extent that it is necessary to facilitate and invoice the specific use of services by that visitor.
The Court ruled that while the IP address allocation is identifying information, and therefore personal data, the website operator – the Federal Government of Germany – has a legitimate objective in storing this data in order to prevent malicious attacks on its website and operations. Further, the IP address allocations were only ruled to be personal data within the very narrow scope of the operations of a website:
“The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider”
So this means that IP address allocations are personal data for a website operator if that website operator can legally coerce the visitor’s ISP to disclose allocation logs. That’s a lot of ifs and buts, even if they’re all logical – it’s not identifying until it’s identifying.
On the plus side here, we have to really appreciate a supreme court finally using words like “dynamic IP address” in the correct way, and even taking the time to explain the difference between static and dynamic IP addresses in its press release to legacy media. Note how they even point out to media that an IP address identifies connected equipment, instead of the usual misunderstanding that an IP address identifies a person, in the quote below. This is progress.
“A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider.”
So what does it mean that a website operator’s logs are personal data in a significant number of cases, but that the operator has a legitimate interest in technical matters, according to this ruling?
It means that a website operator may safely keep their Apache logs without fear of prosecution.
However, it also means that those logs may not be sold for profit when they contain identifying information that may be used in ways the individuals concerned have not consented to.
At the end of the day, that sounds like a good ruling.
Privacy still remains your own responsibility, though.