A user's dynamic Internet Protocol address constitutes personal data for the website operator if the operator possesses legal means that enable them to identify the user in question using additional information available to the user's Internet service provider.
Mr. Patrick Breyer is suing in German courts against federal institutions recording and storing his Internet Protocol addresses ('IP addresses') from websites he accesses. These institutions record and store users' IP addresses, in addition to the time of access, to protect themselves against cyberattacks and enable criminal prosecution.
The German Federal Court of Justice wishes to ascertain from the Court of Justice whether, in this context, 'dynamic' IP addresses also constitute personal data for the website operator, thereby entitling them to the protection afforded to such data. A 'dynamic' IP address is an IP address that changes with each new internet connection. Unlike static IP addresses, dynamic IP addresses do not allow for establishing a connection between a computer and the physical network connection used by the Internet service provider based on publicly accessible files. Thus, only Mr. Breyer's Internet service provider possesses the additional information required for his identification.
The Federal Court of Justice further wishes to know whether a website operator must, at least in principle, have the possibility to collect and use users' personal data to ensure the general functionality of their website. In this regard, it points out that the relevant German regulation is predominantly interpreted by German legal doctrine to mean that data must be deleted at the end of the respective usage process, unless required for billing purposes.
In its judgment of October 19, 2016, the Court first ruled that a dynamic IP address, stored by an “online media service provider” (i.e., the operator of a website, in this case, federal institutions) when accessing its publicly available website, constitutes personal data for the operator if it possesses legal means to identify the user based on additional information held by the user's internet access provider.
The Court further stated that in Germany, there are apparently legal avenues allowing online media service providers, particularly in cases of cyberattacks, to contact the competent authority to obtain the relevant information from the internet access provider and subsequently initiate criminal proceedings.
Secondly, the Court ruled that Union law precludes a Member State regulation under which an online media service provider may only collect and use a user's personal data without their consent to the extent necessary to enable and bill for the specific use of the services by that user, without the purpose of ensuring the general functionality of the services being able to justify the use of data beyond the end of a usage session.
Under Union law, the processing of personal data is lawful, among other reasons, if it is necessary for the legitimate interest pursued by the data controller or by the third party or parties to whom the data are disclosed, unless the interests or the fundamental rights and freedoms of the data subject override those interests.
According to the prevailing interpretation in legal doctrine, the German regulation restricts the scope of this principle by precluding the purpose of ensuring the general functionality of the online medium from being subject to a balancing act against the interests or fundamental rights and freedoms of users.
In this context, the Court emphasized that federal institutions offering online media services may have a legitimate interest in ensuring the continued functionality of their publicly accessible websites beyond their specific use.
Source: Press Release of the Court of Justice of the European Union
Goldberg Attorneys at Law 2016
Attorney Michael Ullrich, LL.M. (Information Law)
Specialist Attorney for Information Technology Law
Email: info@goldberg.de
