The plaintiff demands that the defendant Federal Republic of Germany cease and desist from storing dynamic IP addresses. These are sequences of numbers which are assigned to networked computers every time they dial up in order to enable their communication on the internet. In a large number of generally accessible internet portals of the federal government, all accesses are recorded in log files with the aim of warding off attacks and enabling the prosecution of attackers. Among other things, the name of the page accessed, the time of access and the IP address of the accessing computer are stored beyond the end of the respective usage process. In the past, the plaintiff accessed various such websites.
In his action, he sought to order the defendant to refrain from storing IP addresses assigned to him beyond the end of the respective use. The district court dismissed the action. On the plaintiff's appeal, the District Court granted the plaintiff the injunctive relief only insofar as it concerns storage of IP addresses in connection with the time of the respective use and the plaintiff provides his personal data during a use. Both parties have filed an appeal against this judgement, which was allowed by the court of appeal.
In its decision of 28 October 2014 - VI ZR 135/13, VersR 2015, 370, the Federal Court of Justice (Bundesgerichtshof, see press release of the Federal Court of Justice No. 152/2014) stayed the proceedings and referred two questions on the interpretation of the EC Data Protection Directive to the European Court of Justice for a preliminary ruling. After the Court of Justice answered the questions in its judgment of 19 October 2016 - C-582/14, NJW 2016, 3579, the VI Civil Senate of the Federal Court of Justice has now ruled on the parties' appeals in its judgment of 16 May 2017. These were successful and led to the reversal of the appeal judgment and the remittal of the case to the Court of Appeal.
On the basis of the ECJ ruling, the constituent element "personal data" of Section 12 (1) and (2) TMG in conjunction with Section 3 (1) BDSG is to be interpreted in conformity with the Directive: A dynamic IP address stored by a provider of online media services when a person accesses an Internet page that this provider makes generally accessible constitutes a (protected) personal data for the provider.
The IP address may only be stored as personal data under the conditions of Section 15 (1) TMG. This provision is to be applied in conformity with the Directive in accordance with Article 7(f) of Directive 95/46 EC - as interpreted by the ECJ - to the effect that a provider of online media services may collect and use personal data of a user of these services without the user's consent, even beyond the end of a usage process, to the extent that their collection and use are necessary to ensure the general functioning of the services. However, this requires a balancing with the interest and the fundamental rights and freedoms of the users.
This weighing could not be conclusively carried out in the case in dispute on the basis of the findings made by the Court of Appeal. The Court of Appeal did not make sufficient findings as to whether the storage of the plaintiff's IP addresses beyond the end of a usage process is necessary in order to ensure the (general) functionality of the respective services used. According to the defendant's own statements, it refrains from storing the respective IP addresses of the users for a large number of the portals it operates due to a lack of "pressure to attack". In contrast, there are no findings, in particular, as to how high the risk potential is for the other online media services of the Federation, which the plaintiff wants to use. Only when corresponding findings have been made in this regard will the Court of Appeal have to weigh the interest of the defendant in maintaining the functionality of its online media services against the interest or the fundamental rights and freedoms of the plaintiff, as required by the judgment of the European Court of Justice. In doing so, the aspects of general prevention and criminal prosecution will also have to be duly taken into account.
Judgment of the BGH of 15 May 2017 - VI ZR 135/13
Lower courts:
AG Tiergarten - Judgement of 13 August 2008 - 2 C 6/08
LG Berlin - Judgment of 31 January 2013 - 57 S 87/08
Source: Press release of the Federal Supreme Court of 16.05.2017
Goldberg Attorneys at Law 2017
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
E-mail: info@goldberg.de
