CJEU Ruling on Website Storage of IP Addresses

October 18, 2016

(What follows is based on a Curia press release. The full judgment was not available originally. The press release is somewhat opaque. The full judgment, which is now available, is here.)

In Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, Mr Patrick Breyer brought an action before the German courts seeking an injunction to prevent websites, run by the Federal German institutions that he consults, from registering and storing his internet protocol addresses (‘IP addresses’). Those institutions register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.

The Bundesgerichtshof (Federal Court of Justice, Germany) made a reference to the Court of Justice asking whether in that context ‘dynamic’ IP addresses also constitute personal data, in relation to the operator of the website, and thus benefit from the protection provided for such data. A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider. Therefore, only Mr Breyer’s internet service provider has the additional information necessary to identify him.

Furthermore, the Bundesgerichtshof asks whether the operator of a website must, at least in principle, have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website. It observes, in that regard, that most academic commentators in Germany interpret the relevant German legislation as meaning that those data must be deleted at the end of the consultation period unless they are required for billing purposes.

In its judgment, the Court indicates that a dynamic IP address registered by an ‘online media services provider’ (that is by the operator of a website, in the present case the German Federal institutions) when its website, which is accessible to the public, is consulted constitutes personal data (within the meaning of the Data Protection Directive) with respect to the operator if it has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has.

The Court observes that in Germany there appear to be legal channels enabling the online media services provider to contact the competent authority, in particular, in the event of cyberattacks, so that the latter may take the steps necessary to obtain that information from the internet service provider and subsequently bring criminal proceedings. (In this case the websites concerned are run by the Federal German institutions but the Court observes that it appears that the Federal German institutions act, in spite of their status as public authorities, as individuals.)

Second, the Court states that the Data Protection Directive precludes legislation of a Member State under which an online media services provider may collect and use a visitor’s personal data, without his consent, only to the extent that it is necessary to facilitate and invoice the specific use of services by that visitor, so that the objective of aiming to ensure the general operability of those services cannot justify the use of such data after those services have been accessed.

The Court recalls that, according to EU law, the processing of personal data is lawful, inter alia, if it is necessary to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.

The German legislation, as interpreted by the majority of legal commentators, reduces the scope of that principle, by excluding the possibility of balancing the objective of ensuring the general operability of online media against the interest or the rights and freedoms of visitors.

In that context, the Court emphasises that the Federal German institutions, which provide online media services, may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites.