AOP on Youtube
AOP on Twitter
AOP on LinkedIn
AOP on Facebook

Reprieve for IT departments as EU court rules on IP addresses

If you run a website, you might want to breathe a sigh of relief. A decision this morning from the European Court of Justice means that websites can continue to store visitor IP addresses.


The EU Court of Justice (ECJ) ruled that IP addresses are to be considered “personal data”, which are subject to the EU’s data protection rules, but hedged against causing disruption by watering down the ruling.


From the ECJ press release:

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider.

It would have been a shock to many if the ruling had gone the other way.


Why this matters

The immediate impact of a decision stopping the logging of IP addresses would have been disruption to many websites and services. IT departments everywhere would have thrown up their hands in despair at the task of expunging IP addresses from systems and databases that have relied on them.

Web services routinely keep a log of their users’ IP addresses. These logs are used for numerous largely mundane and innocuous purposes, such as to provide customized features to particular users, to prevent or enable access to content, or to blacklist IP addresses involved in “denial of service” attacks against a site.

IP addresses are rather more valuable to other companies. For instance, some adtech companies use IP addresses to identify and target consumers. Netflix and other content providers rely on IP addresses to restrict the use of VPNs to access TV shows and movies in blocked countries.

While the ruling will probably pass by unnoticed, it is clear that websites have been granted a very real (although possibly temporary) reprieve, as the EU has been quick to act on ECJ rulings despite potentially devastating effects on companies both in Europe and elsewhere.

Background to the ECJ’s decision

The ECJ was asked to rule on two issues:

  1. whether an IP address is personal data, and
  2. whether the practice of logging IP addresses without consent was legal.

This followed eight years of litigation in various German courts, which initiated in an action taken against the German government by Patrick Breyer, a member of Germany’s Pirate Party. Breyer argued that government websites did not have an unrestricted right to indefinitely record the IP addresses of visitors without their consent.

Although IP addresses on their own are largely innocuous, Breyer gave two ways that government websites could combine IP addresses with other data to identification of an individual.

First, internet service providers (ISP) record customers’ real names and addresses, and assign their IP addresses. It is not inconceivable that a government could gain access to these records and connect a person’s real identity to their IP address.

Second, when combined with pages visited or search terms, IP addresses can provide an extensive profile of the visitor’s “political opinion, illnesses, religion, union affiliation” and more.

The ruling

Today’s ruling will probably allow the German Supreme Court to rule against Breyer, as it effectively states that:

  1. a dynamic IP address constitutes personal data for a website operator only if it has the legal means enabling it to identify the visitor with the help of additional information from the ISP
  2. a website operator may collect and store personal data without consent for an indeterminate period so as to ensure the continued functioning of the website
AOP on LinkedIn
AOP on Twitter
AOP on Facebook
AOP on YouTube