In German appeal proceedings, the Bundesgerichtshof has referred to the European Court of Justice for a preliminary ruling two questions on the qualification of IP addresses as personal data and on the interpretation of a German provision relating to the ground for processing data, i.e. legitimate interests.
The two questions are:
Must Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) – the Data Protection Directive – be interpreted as meaning that an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
Does Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?
The background to these questions is as follows. Many federal government institutions in Germany record the IP addresses of visitors to their websites in log files. Once the visitors have left the website, the institutions in question store not only the recorded IP addresses but also a range of other data, including the time of visits. In this case against defendant Federal Republic of Germany, applicant Patrick Breyer requested the court to prohibit the storage of his IP address after his use of the websites in question unless such storage is necessary to restore the availability of the website in the event of a breakdown.
The court of first instance dismissed the application. Part of the claim was allowed on appeal, more specifically to the extent that Breyer, while using the relevant websites, had also provided other personal data to the website holders on the basis of which he could be identified, for instance an e-mail address containing his name. Both parties requested a judicial review (Revision in German) of the appellate court’s judgment.
Does an IP address constitute personal data?
As to the first question, the Bundesgerichtshof takes the position that the stored IP address of a visitor who gives a fictitious name when using a website, in combination with the time of the visit, does not constitute personal data because with that information the website holder is not reasonably able to establish the visitor’s identity (‘reasonably’ meaning without spending a disproportionate amount of time, money and effort, which virtually renders the risk of identification non-existent). According to this line of reasoning, Breyer could only claim cessation of the recording and storage of his IP address after his use of a website to the extent that this IP address can be linked to his name and for that reason constitutes personal data. In all other respects, the IP address would not qualify as personal data and would therefore not be governed by the German ban on processing personal data (see below).
However, Breyer may file a further claim for cessation if his IP address – at any rate in combination with the time of his website visits – qualifies as personal data and there is no ground for justifying the processing of these data after the visits. The IP address may qualify as personal data if, on the basis of the combined data recorded, it is reasonably possible to identify Breyer using the resources of a third party, in this case for instance the internet service provider. In that event, processing the IP address as personal data is potentially prohibited.
Does the Directive preclude a provision in national law?
If it is accepted that the applicant’s IP address constitutes personal data, the Bundesgerichtshof faces the following issue. Pursuant to German legislation, personal data may be stored after a website visit only if and insofar as the right to do so is provided for by law or a statutory regulation applicable to the government agency in question or based on the data subject’s consent.
It is abundantly clear that no such consent was given. German law provides a ground for justifying the relevant federal agencies’ processing of these data, namely to facilitate and charge for the use of their websites. The defendant invokes this justification, stating that it needs IP addresses to protect itself against DoS attacks, with a view to facilitating the use of its website in general.
However, a strict interpretation of this German rule, to the effect that the use referred to in the justification pertains only to the relationship between the data subject and individual website holders, implies that website holders are not entitled to invoke it, given that the data subject has stopped using (i.e. visiting) the website by the time the holder processes his IP address for security purposes. In that case, there is no ground for storing IP addresses (there is no invoicing) and the claim must therefore be allowed.
The Bundesgerichtshof wonders whether the strict interpretation of national legislation it advocates could imply an excessively narrow implementation of the ‘legitimate interests’ justification referred to in the Data Protection Directive.
Incidentally, the prevailing doctrine in the Netherlands is that IP addresses (at any rate in most cases) do qualify as personal data and must consequently be treated as such. The Article 29 Data Protection Working Party, a consultative body representing all European data protection authorities, also holds this view.
In that light, the answer to the Bundesgerichtshof’s first question – in particular considering the way it is worded – may well be an easy one.