On Wednesday 19 October, the European Court of Justice stated that an IP address that helps to identify a website visitor involved data of personal nature and that this kind of data could be collected by the website operator in an effort to prepare against cyber attacks and facilitate the possibility of introducing criminal proceedings.
This case (C-582/14) involves Federal German website services that record and maintain internet protocol addresses (IP addresses) in an effort to combat fight cyber attacks.
The German Federal Court of Justice approached the European Court of Justice to establish whether in this context, "dynamic" IP addresses of a visitor constitute personal data, with respect to the operator of the website, and therefore benefited from the protection included in EU law on this kind of data.
In contrast to fixed IP addresses, dynamic IP addresses do not allow for the immediate identification of the internet user. In this connection, it is necessary to request information from the internet access provider.
According to the Federal Court, the German legislation, as interpreted by the majority of legal commentators in this field argues that this data contained in IP addresses must be erased by the website operator at the end of the user’s consultation session. The only exception relates to cases where this kind of data is required for invoicing purposes.
The European Court of Justice holds that there is no difference between a fixed IP address or a dynamic IP address, given that both of them are used to identify what is concealed behind the address. It therefore does indeed involve personal data in both cases.
Nonetheless, the European judges consider that the German doctrine was in contradiction with EU law. This doctrine is too restrictive because it reduces the scope of that principle, by excluding the possibility of balancing the objective of ensuring the general operability of online media against the interest or the rights and freedoms of visitors. (Original version in French by Jan Kordys)