Are Dynamic IP-Addresses “Personal Data” As Defined By the EU Data Protection Directive?

And if so; May they be recorded? – The German Federal Court of Justice (BGH) in its decision dated October 28, 2014, court ref. VI ZR 135/13 referred to the to the European Court of Justice (ECJ) for a preliminary ruling regarding the interpretation of the EU Data Protection Directive concerning the definition of the term “personal data” therein and recording of dynamic IP-addresses.

The question if any IP-address qualifies personal data in terms of the law even if it cannot serve to identify the user is one of the most discussed questions in German data protection law. In its press release dated October 28, 2014 the BGH informs that it has referred to the ECJ to decide inter alia on this question in a preliminary ruling on the interpretation of the “DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” , short EU Data Protection Directive.

In the case pending before the BGH the claimant requests that the Federal Republic of Germany (FRG) desist from recording his dynamic IP-addresses. On most of the FRG’s publicly accessible websites the access data is recorded with the declared goal to ward off attacks and to facilitate the persecution of attackers. Inter alia, the name of the visited website, the time of access, and the IP-address of the accessing computer are being recorded beyond the termination of the use of the website by the user. On some of these websites the claimant while using the services entered information, for instance his name or email, that allow personal identification.

In the first instance the claim was rejected. In the second instance the claim was granted insofar as it referred to the recording of IP-addresses in connection with the access time in the cases where the claimant during the use enters his particulars. Both parties appealed the decision. The BGH now suspended the proceedings and referred to the ECJ with the following questions:

(1) A desist order requires that the dynamic IP-addresses qualify as “personal data” in terms of the directive. This is questionable in the cases where the claimant did not enter his particulars on the website. In the pending case the relevant authorities had no information that allowed an individualization of the claimant and the communications service provider was not allowed to forward any information on the claimant’s identity. The BGH therefore referred to the ECJ with the question if Article 2 lit. a of the Directive was to be interpreted in the way that an IP-address that the provider of an online service (the FRG in this case) saves in connection with an access to its website already qualifies as “personal data” if only a third party holds the information necessary to identify the user.

(2) Provided the IP-address in the above situation is “personal data” and provided that the user has not given his express consent to the recording the IP-address must not be recorded without an express permission by the applicable law to do so (§ 12 (1) TMG – German Telemedia Act). The FRG’s intention behind the recording of the IPs is to guarantee and to maintain the security and the functionality of their telemedia. It is questionable of this is sufficient for a permission in accordance with § 15 (1) TMG. According to this § 15 (1) TMG the service provider may only collect and process personal date insofar as it is necessary to enable and to bill the use of the service. In view of the wording of this norm it seems that the personal data may only be saved beyond the termination of a session in case it is necessary for billing purposes. Otherwise the data is to be deleted at the end of the session. However, Art. 7 lit. f of the Directive light require a broader interpretation. The BGH therefore asks in its second question if the EU Data Protection Directive is n conflict with a national norm with the content of § 15 (1) TMG whereby the service provider may collect and process the users’ personal data without consent only to enable and bill the concrete usage of the service and whereby the aim to guarantee the general functionality of the website cannot justify the recording beyond the termination of this particular use.

Leave a Reply

Your email address will not be published. Required fields are marked *