(LUXEMBOURG) – A website operator can store certain personal data relating to visitors of the site if it helps to identify the visitor and also to protect itself against cyber attacks, the EU’s top court ruled on Thursday.
A user had sought an injunction in German courts to prevent websites run by federal authorities from registering and storing his internet protocol addresses, or ‘IP addresses. The websites stored IP addresses as well as the date and time of access. The aim was to prevent cyber attacks and to make it possible to bring criminal proceedings if need be.
Germany’s federal court had asked the European Court of Justice whether ‘dynamic’ IP addresses also constituted personal data.
A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider.
Consquently, only the user’s internet service provider (ISP) has the additional information necessary to identify him.
The question was also asked whether a site operator must in principle have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.
The general interpretation has been that those data must be deleted at the end of the consultation period unless they are required for billing purposes.
The Court’s judgement is that a dynamic IP address registered by a website operator of a website constitutes personal data if it has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has.
The Court recognised that there were legal channels in Germany which enabled a website operator to contact the competent authority in the event of cyber attacks, so that the latter may take the steps necessary to obtain that information from the internet service provider and subsequently bring criminal proceedings.
According to EU law, the processing of personal data is lawful if it is necessary to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.
German legislation reduces the scope of that principle by excluding the possibility of balancing the objective of ensuring the general operability of online media against the interest or the rights and freedoms of visitors.
The Court emphasised that the Federal German institutions, which provide online media services, may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites.