How does an IP ban work

ECJ loosens ban on IP address storage

The European Court of Justice (ECJ) considers dynamically assigned IP addresses to be "personal data" within the meaning of data protection law - but only under certain conditions. This was announced by the European Supreme Court on Wednesday. So far, however, only the press release is available on the long awaited verdict in the "Patrick Breyer vs. Federal Republic of Germany" case (Az. C 582/14). The full text of the judgment should follow in the course of the day.

Dynamically assigned IP addresses are only personal if the website operator storing them "has legal means that allow him to determine the user in question on the basis of the additional information that his Internet access provider has". In plain language: Only if the operator - for example in the event of an attack on the website - can receive the name and address of the address holder from the issuing access provider, the addresses are also personal. The ECJ declared that "there are apparently legal options in Germany".

The court is likely to emphasize that operators can file a criminal complaint and thus induce law enforcement authorities to determine the data. By inspecting the files in this process, they could get to the information. Since this possibility is basically open to every operator, the ECJ decision could be interpreted in such a way that all dynamically assigned IP addresses fall under it. But this is still unclear. It remains to be seen whether the full text of the judgment will provide clarification.

German data protection law invalid

In its judgment, the ECJ also found that Section 15 (1) of the German Telemedia Act (TMG) violates EU law. According to this paragraph, website operators are only allowed to store IP addresses of their visitors if they are necessary for use or billing. This common practice in Germany is contrary to the EU data protection directive from 1995.

The processing of personal data is lawful "if it is necessary to realize the legitimate interest exercised by the person responsible for the processing or by the third party (s) to whom the data are transmitted, unless the interest or fundamental rights and Fundamental freedoms of the data subject outweigh ". This balancing act is missing in the TMG. Specifically, this should mean that website operators may well be allowed to save IP addresses for system security purposes, for example.

Long smoldering legal battle

In the specific case, it is about a legal dispute between the Schleswig-Holstein Pirate MP Patrick Breyer and the Federal Republic of Germany. This legal dispute has been simmering since 2007. Breyer wants all federal websites to stop storing the IP addresses of visitors for three months without consent, thereby enabling tracking. Ultimately, the privacy advocate is concerned with a general ban on IP logging without specific consent.

The federal government argues that the storage is necessary to enable the secure operation of the web server, i.e. to ward off attacks and identify attackers if necessary. She insists that without the help of access providers with dynamically assigned IP addresses, she has no way of identifying visitors based on their IP address. This is forbidden to her anyway. The stored IP addresses are therefore not personal data within the meaning of the Federal Data Protection Act (BDSG), but can only be related to third parties.

Possible abuse

That is not enough for Breyer. According to his argument, "only deleted surf logs are really effectively protected against assignment and misuse". The IP address storage is de facto a three-month data retention period and enables user tracking without consent. The federal government violates the right to informational self-determination of website visitors as well as Paragraph 12 TMG.

Most recently, the district court (LG) Berlin ruled in the matter at the beginning of 2013 as an appeal instance. Accordingly, storage is only prohibited if the website operator can infer the visitors from the IP addresses (Az. 57 S 87/08). As long as the user does not provide any "personal details, including in the form of an email address identifying the personal details", storage is permitted. Both Breyer and the federal government have appealed against this ruling, so that the Federal Court of Justice (BGH) is now dealing with the question.

ECJ questioned

In October 2014, the BGH asked the ECJ to clarify to what extent IP addresses are personal under European data protection law. In addition, the highest German court would like to know whether the European data protection directive is in line with German data protection law, according to which storage of IP addresses for system security purposes is not permitted beyond the period of use of the website.

In May, Advocate General Manuel Campos Sánchez-Bordona had already taken a position on this for the European Court of Justice (ECJ). He considers it necessary to protect data even if a third party would be able to relate the data to a person. However, not every knowledge of a hypothetical, unknown and unreachable third party is relevant. But attention should be paid to at least the knowledge of those actors who "reasonably feasible or practicable" could provide additional information about the passenger train.

[Update October 19, 2016, 2:00 p.m.]

The ECJ has now published the judgment. In it the court confirms that it only assumes a "relative" personal reference from dynamically assigned IP addresses. Website operators therefore only have the option, with the help of access providers, of determining their users on the basis of the IP addresses.

In its order for reference, the BGH pointed out that German law does not allow access providers to "directly transmit" the additional information required to identify the person concerned to the website operator. However, there are apparently legal options for website operators that allow them to contact the competent authority, especially in the event of cyberattacks, in order to obtain the information in question from the Internet access provider and to initiate criminal prosecution. The BGH has yet to examine whether this is the case.

Breyer disappointed

In an initial statement, the plaintiff Patrick Breyer admits that he had missed his goals: "Although I was able to decide for myself the long-standing dispute about whether surfing protocols with IP addresses are subject to data protection, the court has at the same time banned mass surfing logging , which was laid down in the German Telemedia Act. Whether EU law allows providers to record our Internet usage behavior on a massive scale and if so, for how long, is left open and undecided by the Court of Justice. "

Breyer now fears new legal uncertainties: "The required balancing of interests is likely to occupy the courts for a long time." He emphasizes that, in his opinion, the storage of IP addresses is not necessary for the secure operation of a website - contrary to what the federal government claims. A court opinion proves this. "Wanting to protect Internet systems through user monitoring would be as pointless as hanging a video camera over an open warehouse," said Breyer. (raised)

Read comments (165) Go to homepage