The German Federal Court of Justice (GFCJ) was scheduled to judge, on October 28, 2014, whether dynamic IP addresses are "personal data" as defined in Article 2 of the EC Data Protection Directive, and if so, under which conditions dynamic IP addresses may be recorded and stored. Instead, the court referred the questions to the European Court of Justice (ECJ) for a preliminary ruling.
Dynamic IP Addresses
An IP address (short for Internet Protocol address) is a unique numerical label assigned to an information technology device (e.g., a computer or smartphone) participating in a network using the Internet Protocol system to identify itself and communicate with other devices. IP addresses can either be assigned permanently to the host by a fixed configuration of the used hardware or software (so-called "static IP address") or newly every time the device is booted (so-called "dynamic IP address"). IP addresses are mostly assigned dynamically to the host. Dynamic IP addresses have the advantage that they allow the network to work with a smaller address pool. Therefore, Internet service providers usually assign dynamic IP addresses to their (private) customers. The time period for which a user keeps the assigned dynamic address varies. For instance, some Internet service providers assign the IP addresses newly every 24 hours. However, according to a report on web tracking by the German Fraunhofer Institute for Secure Information Technology dated February 2014, 72 percent of Internet users had the same dynamic IP address for two weeks.
In the case pending at the GFCJ, the plaintiff, a German politician and data protection activist, seeks an order against the Federal Republic of Germany to desist from storing his assigned dynamic IP addresses beyond the end of the respective use of government websites. On most German government websites, the users' IP addresses are recorded along with the name of the website and the time of the request. The government stores this data in logfiles beyond the termination of the actual use of the website in order to fend off hacker attacks and to enable the prosecution of attackers.
The plaintiff argues that the assigned IP addresses can be linked to him, and therefore qualify as personal data, so that the recording and storage of the IP addresses required his explicit consent.
The district court dismissed the action. The court of appeal granted the order only insofar as plaintiff's request related to the storage of any IP address in conjunction with the access time if and when the plaintiff discloses his personal use of the website by entering further personal information in the course of his use of the website. Both parties appealed against this judgment.
The question whether a dynamic IP address qualifies as "personal data" even if it alone does not enable the recipient to identify the user is indeed one of the most debated topics in German and European data protection law. While the German Data Protection Authorities classify IP addresses per se as personal data, the majority of German courts and legal scholars regard IP addresses as personal data only if the recipient has access to additional information that allows the identification of the user.
The answer to this question is not only crucial for the current discussions in relation to the planned EU General Data Protection Regulation, but it also has significant practical implications for websites and other services that record and store the IP addresses of their users.
Two Questions for Preliminary Ruling
The GFCJ decided to suspend the proceedings and referred two questions for a preliminary ruling to the ECJ:
(1) Do IP addresses qualify as "personal data" under the EC Data Protection Directive in cases where only a third person, but not the recipient itself, has access to further information that enables an identification of the user?
The GFCJ states that an injunctive relief (order) required that the plaintiff's dynamic IP addresses qualify as personal data under Article 2 of the EC Data Protection Directive. Due to the GFCJ, this is questionable in cases where the plaintiff did not provide further personal information to the recipient that would enable his identification based on the assigned IP address. In the pending case, the government authorities had no access to such information. Furthermore, the plaintiff's Internet access provider was not allowed to transfer any such information on the plaintiff's identity to the defendant. Therefore, the GFCJ referred to the ECJ to answer whether Article 2 lit. a of the EC Data Protection Directive has to be interpreted that an IP address which a service provider records together with the access of its website already qualifies as "personal data" if only a third party, but not the recipient itself, has access to the additional information that is required to identify the user.
(2) Is Section 15 of the German Telemedia Act, according to telemedia service provider may collect and use the personal data of a user only to the extent necessary to enable and invoice the use of the service (usage data), consistent with the EC Data Protection Directive?
According to Section 12 of the German Telemedia Act (TMA), a telemedia service provider may only collect and use IP addresses (assuming they qualify as personal data) without the users' prior approval to the extent that the TMA or another statutory provision referring expressly to the TMA permits it. In the pending case, the reason for storing the IP addresses was to ensure and maintain the safety and functionality of the government websites. However, the GFCJ doubts that this is sufficient for permission under Section 15 of the TMA. For systematic reasons, the GFCJ assumes that under Section 15, TMA personal data may only be stored beyond the duration of the actual use of the service for invoicing purposes—otherwise the data needs to be deleted afterwards. However, according to the GFCJ, Article 7 lit. f of the EC Data Protection Directive might dictate a broader interpretation of Section 15 of the TMA. It follows that the national TMA might be in conflict with the EC Data Protection Directive regulation under which a service provider may collect and use personal data without the users' approval only to the extent necessary to enable and invoice the concrete use of the service and whereby the purpose of ensuring the general functionality of the telemedia service may not justify the storing of the data beyond the duration of the particular user activity.
If the ECJ should answer the first question in the affirmative, dynamic IP addresses would qualify as personal data under the EC Data Protection Directive even when the recipient has no access to further information that enables an identification of the user. The consequence would be that the recording, storage and use of dynamic IP addresses beyond the period of use for other purposes than invoicing would require consent of the user. Nowadays, the online behavior of users of dynamic IP addresses is often recorded and evaluated for marketing purposes, such as a measurement of attractiveness of a website, without the user's consent. In addition, law enforcement agencies and owners of copyright-protected content rely on the identification of infringers through the use of stored dynamic IP addresses. If users of a website become truly anonymous, the Internet community will face new and serious challenges.