The EU’s top court recently ruled that it considers dynamic IP addresses as “personal data,” just like static IP addresses. Dynamic IPs now have protection against websites collecting and storing them.
Dynamic IP Addresses
An IP (internet protocol) address is a number assigned to devices that connect to a computer network. It’s a set of numbers that look something like this: 192.168.1.1 (IPv4) or 2001:db8:0:1234:0:567:8:1 (IPv6). The Internet Assigned Numbers Authority (IANA) manages IP address space allocations all around the world.
IP address comes in two configurations: static and dynamic. A static IP address doesn’t change – it has a persistent configuration. In contrast, dynamic IP addresses change each time the device, like a computer, connects to a network.
The case started with German Pirate Party politician Patrick Breyer. He asked the German Federal Court of Justice to grant an injunction to stop websites that he consults – that German federal entities run – from collecting and storing his dynamic IP addresses. The German court then passed the case on to the Court of Justice of the European Union (CJEU).
On Wednesday, the CJEU said that a legitimate reason for a website owner to store dynamic IPs is to “protect itself against cyber attacks.” According to Austrian newspaper der Standard, Breyer is afraid that by collecting his dynamic IPs, German authorities could build a profile of his interests.
The CJEU ultimately ruled [PDF] that dynamic IP addresses are personal data, even though they don’t consistently refer to one person. This holds up as long as a website
“has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s Internet service provider has.”
Since this is usually the case in Germany, the court said dynamic IPs would then be personal data, which is an important distinction. Under EU law, processing personal data is only lawful if it’s necessary
“to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.”
In the case, the CJEU said that the German federal institutions that run the websites “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each particular use of their publicly accessible websites…” to protect their sites against online attacks. In this instance, they can store the IP addresses for this purpose – whether the IPs are dynamic or static.
The case will now pass back to the German Federal Court of Justice. It will then make its judgment based on the CJEU’s opinion. Based on the CJEU’s stance, it seems probable that the court won’t grant Breyer an injunction against Germany’s federal sites from storing data about his visits.