EU News
Printable version

CJEU: Storing visitors personal data to a website in order to protect against cyberattacks

Mr Patrick Breyer has brought an action before the German courts seeking an injunction to prevent websites, run by the Federal German institutions that he consults, from registering and storing his internet protocol addresses (‘IP addresses’). Those institutions register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.

The Bundesgerichtshof (Federal Court of Justice, Germany) has made a reference to the Court of Justice asking whether in that context ‘dynamic’ IP addresses also constitute personal data, in relation to the operator of the website, and thus benefit from the protection provided for such data. A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider. Therefore, only Mr Breyer’s internet service provider has the additional information necessary to identify him.

Furthermore, the Bundesgerichtshof asks whether the operator of a website must, at least in principle, have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website. It observes, in that regard, that most academic commentators in Germany interpret the relevant German legislation as meaning that those data must be deleted at the end of the consultation period unless they are required for billing purposes.

By yesterday’s judgment, the Court replies, first of all, that a dynamic IP address registered by an ‘online media services provider’ (that is by the operator of a website, in the present case the German Federal institutions) when its website, which is accessible to the public, is consulted constitutes personal data with respect to the operator if it has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has.

Click here for full press release


Share this article

Latest News from
EU News

Your Guide to Public Sector Payments 101