Your dynamic IP address is now protected personal data under EU law
CJEU rules that personal IPs can’t be stored, unless to thwart cybernetic attacks or similar.
By GLYN MOODY
Oct 19 2016
Europe’s top court has ruled that dynamic IP addresses can constitute “personal data,” just like static IP addresses, affording them some protection under EU law against being collected and stored by websites.
But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is “to protect itself against cyberattacks.”
The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses.
Breyer’s fear is that doing so would allow the German authorities to build up a picture of his interests, according to the Austrian newspaper der Standard. Site operators argue that they need to store the data in order to prevent “cybernetic attacks and make it possible to bring criminal proceedings” against those responsible, the CJEU said.
It held in its ruling that dynamic IP addresses could be considered personal data, even though they didn’t refer consistently to one person, provided a website “has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s Internet service provider has.” Since this is generally the case in Germany, the court said that dynamic addresses would then be personal data—an important ruling.
Under EU law, the processing of personal data is only lawful if if is necessary “to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.”
In this case, the CJEU said that the federal German institutions running the websites in question “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites,” when protecting their sites against online attacks. They were therefore permitted to store IP addresses for this purpose, whether dynamic or static.