The dynamic internet protocol address of a user constitutes personal data for the website operator if he has legal means to have the user in question identified on the basis of the additional information held by his internet access provider.
Mr Patrick Breyer is suing in the German courts against the fact that the websites of federal institutions that he accesses record and store his Internet Protocol ("IP") addresses. In addition to the time of access, these institutions also record and store the IP addresses of users in order to guard against cyberattacks and to enable prosecution.
The German Federal Supreme Court wants to know from the Court of Justice whether, in this context, "dynamic" IP addresses also constitute personal data for the website operator, so that they enjoy the protection provided for such data. A "dynamic" IP address is an IP address that changes with each new internet connection. Unlike static IP addresses, dynamic IP addresses do not allow a connection to be established between a computer and the physical network connection used by the Internet access provider by means of generally accessible files. Thus, only Mr Breyer's internet access provider has the additional information necessary to identify him.
The Federal Court of Justice also wants to know whether the operator of a website must, at least in principle, have the possibility to collect and use personal data of users in order to ensure the general functioning of its website. In this regard, it points out that the relevant German regulation is predominantly interpreted by German doctrine to the effect that the data must be deleted at the end of the respective usage process, unless it is needed for billing purposes.
In its judgment of 19.10.2016, the Court first responds that a dynamic IP address stored by a "provider of online media services" (i.e.by the operator of a website, in this case the federal institutions) when accessing its generally accessible website constitutes personal data for the operator if it has legal means to have the user identified on the basis of the additional information held by the user's internet access provider.
The Court states in this regard that there appear to be legal possibilities in Germany which allow the provider of online media services to contact the competent authority, in particular in the case of cyberattacks, in order to obtain the information in question from the internet access provider and subsequently to initiate prosecution.
Second, the Court replies that EU law precludes a rule of a Member State under which a provider of online media services may collect and use personal data of a user of those services without that user's consent only to the extent that their collection and use are necessary to enable and bill the specific use of the services by the user concerned, without the purpose of ensuring the general functioning of the services being able to justify the use of the data beyond the end of a period of use.
The processing of personal data is lawful under Union law, inter alia, if it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
According to its interpretation, which is predominantly represented in the doctrine, the German regulation limits the scope of this principle by excluding that the purpose of ensuring the general functioning of the online medium can be the subject of a balancing with the interest or the fundamental rights and freedoms of the users.
In this context, the Court emphasises that federal bodies providing online media services may have a legitimate interest in ensuring that the websites they make generally accessible continue to function beyond their specific use.
Source: Press release of the Court of Justice of the European Union
Goldberg Attorneys at Law 2016
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
E-mail: info@goldberg.de
