German court says ISPs do not violate the law by storing IP addresses

By EDRi · October 22, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 30 September 2008, the Munich District Court decided in a provisional
ruling that website operators were not violating the data protection
legislation when storing IP addresses of their visitors as IP addresses
alone are not considered personal data.

The case was brought to the court by an individual who argued that storing
IP addresses in log files by a web publisher represents a privacy violation
because the information could be used to identify him and relate his
identity to his web surfing activity. The court dismissed his arguments and
ruled against his claim.

The court considers IP addresses are not personal data under the German
Privacy Act because the information cannot be easily used to determine a
person’s identity and an ISP could not tell a third party who was using a
particular IP address at a particular time without a legal basis. Such
information is provided by ISPs only when ordered by a court.

The ruling also said that IP addresses lacked the necessary quality of
“determinability” to be personal data, meaning the identity of the person
behind the information cannot be established without a significant effort
and by using “normally available knowledge and tools.”

However, we should not over-estimate the relevance of this decision.It was
taken by a local court with no IT experts and the judge did not discuss the
dissenting decisions from higher level Berlin courts. The decision only
applies to dynamic IP addresses.

Privacy activists have argued that IP addresses should count as personal
data under data protection legislation. The Article 29 Working Party has
also said that IP addresses should be treated as personal data by ISPs and
search engines, even if they are not always personal data. “Unless the
Internet Service Provider is in a position to distinguish with absolute
certainty that the data correspond to users that cannot be identified, it
will have to treat all IP information as personal data, to be on the safe
side. These considerations will apply equally to search engine operators,”
said a report issued by the Article 29 Working Party in April.

Regarding the fact that IP addresses are not considered personal data by
some, in an interview given to EurActiv on the data protection rules, the
European Data Protection Supervisor Peter Hustinx explained : “As of today
there is some uncertainty, and this is why we will probably see a study from
the Commission to shed light on this. But the common view of the data
protection specialists is that in many situations IP addresses are personal
data. Therefore websites, Internet Service Providers and other parties
should ensure data protection compliance. This is an important thing to
emphasise.” He also believes that The European Commission
should clarify the application of existing data protection rules in relation
to RFID in order to avoid “big social dangers”.

German court says IP addresses in server logs are not personal data

Hustinx: Tracking people ‘easier’ with RFID (3.10.2008)

AG, Munich: IP addresses may be used by Web site operators are stored (only
in German, 7.10.2008)