The plaintiff demands that the defendant Federal Republic of Germany cease and desist from storing dynamic IP addresses. These are sequences of digits which are assigned to networked computers every time they dial up in order to enable their communication on the internet. In most generally accessible federal internet portals, all accesses are recorded in log files with the aim of warding off attacks and enabling the prosecution of attackers. Among other things, the name of the page accessed, the time of access and the IP address of the accessing computer are stored beyond the end of the respective usage process. In the past, the plaintiff accessed various such websites.
In his action, he sought to order the defendant to refrain from storing IP addresses assigned to him beyond the end of the respective use. The district court dismissed the action. On the plaintiff's appeal, the District Court granted the plaintiff the injunctive relief only insofar as it concerns storage of IP addresses in connection with the time of the respective use and the plaintiff provides his personal data during a use. Both parties have filed an appeal against this judgement, which was allowed by the court of appeal.
The Federal Court of Justice decided to stay the proceedings and to refer two questions on the interpretation of the EC Data Protection Directive to the European Court of Justice for a preliminary ruling.
1. the claim for injunctive relief presupposes that the dynamic IP addresses are "personal data" for the defendant's responsible bodies storing the addresses, which are protected by the data protection law harmonised by the Directive. This could be questionable in the cases where the plaintiff did not provide his personal details during a usage process. After all, according to the findings made, the responsible authorities did not have any information that would have made it possible to identify the plaintiff on the basis of the IP addresses. The plaintiff's access provider was also not allowed to provide the responsible authorities with information about the plaintiff's identity. The Federal Court of Justice therefore referred the question to the European Court of Justice as to whether Article 2(a) of the EC Data Protection Directive is to be interpreted as meaning that an IP address which a service provider stores in connection with an access to its internet site already constitutes a personal data for the service provider if only a third party has the additional knowledge necessary to identify the data subject.
If one assumes "personal data", the IP addresses of the user may not be stored without legal permission (Section 12 (1) of the German Telemedia Act) if - as in this case - the user's consent is missing. According to the defendant's submission, which is decisive for the legal examination, the storage of IP addresses is necessary to guarantee and maintain the security and functionality of its telemedia. It is questionable whether this is sufficient for authorisation under Section 15(1) TMG. Systematic considerations suggest that this provision only permits data collection and use to enable a concrete usage relationship and that the data, insofar as it is not required for billing purposes, must be deleted at the end of the respective usage process. However, Art. 7(f) of the EC Data Protection Directive could require a broader interpretation. The Federal Court of Justice therefore referred the question to the European Court of Justice as to whether the EC Data Protection Directive precludes a provision of national law with the content of Section 15 (1) of the German Telemedia Act (TMG), according to which the service provider may only collect and use personal data of a user without the user's consent to the extent that this is necessary to enable the specific use of the telemedium by the respective user and to bill for it, and according to which the purpose of ensuring the general functioning of the telemedium cannot justify the use beyond the end of the respective usage process.
Judgment of the Federal Supreme Court of 28 October - VI ZR 135/13
Lower courts:
AG Tiergarten - Judgement of 13 August 2008 - 2 C 6/08
LG Berlin - Judgment of 31 January 2013 - 57 S 87/08 - ZD 2013, 618 and CR 2013, 471
Source: Press release of the BGH
Goldberg Attorneys at Law 2015
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
E-mail: info@goldberg.de
