If you run a website, you might want to breathe a sigh of relief. A decision this morning from the European Court of Justice means that websites can continue to store visitor IP addresses.
The EU Court of Justice (ECJ) ruled that IP addresses are to be considered “personal data”, which are subject to the EU’s data protection rules, but hedged against causing disruption by watering down the ruling.
From the ECJ press release:
The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.
It would have been a shock to many if the ruling had gone the other way.
Why this matters
The immediate impact of a decision stopping the logging of IP addresses would have been disruption to many websites and services. IT departments everywhere would have thrown up their hands in despair at the task of expunging IP addresses from systems and databases that have relied on them.
Web services routinely keep a log of their users’ IP addresses. These logs are used for numerous largely mundane and innocuous purposes, such as to provide customized features to particular users, to prevent or enable access to content, or to blacklist IP addresses involved in “denial of service” attacks against a site.
IP addresses are rather more valuable to other companies. For instance, some adtech companies use IP addresses to identify and target consumers. Netflix and other content providers rely on IP addresses to restrict the use of VPNs to access TV shows and movies in blocked countries.
While the ruling will probably pass by unnoticed, it is clear that websites have been granted a very real (although possibly temporary) reprieve, as the EU has been quick to act on ECJ rulings despite potentially devastating effects on companies both in Europe and elsewhere.
Background to the ECJ’s decision
The ECJ was asked to rule on two issues:
This followed eight years of litigation in various German courts, which initiated in an action taken against the German government by Patrick Breyer, a member of Germany’s Pirate Party. Breyer argued that government websites did not have an unrestricted right to indefinitely record the IP addresses of visitors without their consent.
Although IP addresses on their own are largely innocuous, Breyer gave two ways that government websites could combine IP addresses with other data to identification of an individual.
First, internet service providers (ISP) record customers’ real names and addresses, and assign their IP addresses. It is not inconceivable that a government could gain access to these records and connect a person’s real identity to their IP address.
Second, when combined with pages visited or search terms, IP addresses can provide an extensive profile of the visitor’s “political opinion, illnesses, religion, union affiliation” and more.
Today’s ruling will probably allow the German Supreme Court to rule against Breyer, as it effectively states that: