Are IP addresses “personal data” when stored in a log? European Court of Justice to decide the issue

The European Court of Justice is called to decide whether server logs shall be considered as ‘personal data’ under the EU’s Directive 95/46/EC. Case C-582/14.

Server logs are automatically created and typically set behind webpages to record which pages have been viewed, when, and by which dynamic IP address. The IP address is the number assigned to a device that connects to the internet. A statistical analysis of the server log may be used to examine traffic patterns by time of day, day of week, etc. These files are usually accessible only by the webmaster or other administrative person, and may continue to exist indefinitely (see here).

According to this source, “A German citizen claimed that the practice of several websites run by the German government which store data in the logs – together with the dynamic IP address – means that the German State (and/or third parties) is processing his personal data”. Therefore, those data are protected by Directive 95/46/EC, and cannot processed without the data subject’s consent. On the other side, the German State claimed that website security legitimated data processing without consent.

After appeal, the issue went before the German Supreme Court, which was called to decide whether a dynamic IP address, together with the time of a download, constitutes ‘personal data’. However, according to this source, “the German Supreme Court could not square the German legislation with Article 7 of the Directive; indeed the five judges wondered whether the German legislation was at all compatible with the EU legislation”. Could Article 7, Directive 95/46/EC, which allows processing except where it violates the data subject’s fundamental rights under Article 1(1), be interpreted as “permitting data processing after users ceased using the website, on the basis that this could ensure the functioning of the telecoms network?

On February 27, 2015, the German Supreme Court referred to the ECJ the following preliminary questions (Case C-582/14):

  • Whether “an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data [according to art. 2(a), Directive 95/46/EC] for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?”
  • Whether “Article 7(f) of the Data Protection Directive preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?”

More information about case Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland, can be found searching the Court of Justice’s website.

More information is available at…

For more information, Francesca Giannoni-Crystal

Follow us on& Like us on