A German court has ruled that website operators can store the internet protocol (IP) addresses of all visitors to their sites, without violating data protection legislation. Provided no other information is stored, IP addresses themselves, do not count as personal data, in the view of the German court.
Although there has been no similar issue before a UK court to date, the view taken by the German court reflects the view of the UK Information Commissioner in guidance published last year.
IP addresses are used by search engine companies and other web publishing operations, for the purposes of trying to identify users and to analyse their usage patterns.
The decision serves to highlight the opposing arguments posed by the privacy lobby, who argue that IP addresses should count as personal data and should therefore be protected under data protection legislation, and the opposing arguments by web publishers, who claim that whilst IP addresses can be viewed as personal data in some circumstances, they should not necessarily always be viewed in that context.
The basis of the ruling from the district court in Munich was that the IP address, when stored by an internet publisher, does not count as personal data under Germany's Privacy Act, because the information cannot easily be used to determine the user's identity. Further, the court stated that an internet service provider (ISP) could not divulge such information to a third party who was using a particular IP address at a particular time, without a proper legal basis. Such legal basis could only be derived from a court order. The only other way to obtain the identity of the user was if the information was given to a third party illegally.
The court's decision appears to have been based on the fact that IP addresses lack the "determinability" required of personal data. By this, it means that the identity of the user can be determined without a disproportionate burden being placed on the person trying to identify the user, and that the user can be identified using normally available knowledge and tools.
The court stated that web publishers could store IP addresses in server log files which track activity on each page.
The case was brought by an individual who argued that the storage of IP addresses in server log files was a breach of privacy because the information could be used to identify him and link his identity to his web surfing activity.
In 2007, the UK Information Commissioner published guidance which said that, when considered in isolation, IP addresses could not be classed as personal data. However, they could become personal data when used to build a profile on an individual or in the hands of an ISP.
The guidance focuses on two different forms of IP address. It states that "dynamic" addresses are those given to a user each time they connect to an ISP, and this address is different each time the user connects. In this scenario, it is only the ISP who can link the IP address to an individual, and therefore, it is difficult to see how the Act can cover the collecting of dynamic IP addresses which have no other identifying factors.
These should be contrasted with "static" addresses which can be linked to a specific computer, and therefore to a specific user. However, where this does occur, and a profile of the user can be built up, then both the address and the profile become personal information, and are covered by the Act.
The Article 29 Working Party, a committee of privacy watchdogs, has argued that IP addresses should be classified as personal data by both ISPs and website search engine operators, even though there are circumstances where they may not always be personal data. It argues that it is difficult for an ISP to be certain whether data is personal data, and on that basis, the ISP will have to err on the side of caution, and treat all of the information it holds as personal data. The same has to be said of search engine operators.