IP Address Is Personal Data: ECJ Advocate General

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael Scaturro

May 12 — A European Court of Justice (ECJ) Advocate General proposed May 12 that Internet protocol (IP) addresses are personal data protected by European Union data protection laws, but companies like Google Inc. and Amazon.com Inc. can continue to collect such data to prevent attacks on their systems.

The ECJ must still rule on the matter, but the opinion written by Advocate General Manuel Campos Sánchez-Bordona would give courts in EU member states the right to weigh in on whether companies’ metadata collection practices align with applicable EU laws.

“The fact that it might be difficult to combine different data sets to identify a user by his or her IP address doesn’t mean that this doesn’t present a danger to the user,” Sánchez-Bordona wrote.

Underlying German Case

The underlying case, initially filed January 2008 at the Local Court (Amtsgericht) of Berlin-Tiergarten by Patrick Breyer, a lawmaker in the Parliament of the German state of Schleswig-Holstein, challenged the German federal government's storage of dynamic IP addresses of those surfing government websites (13 PVLR 1889, 11/3/14). The German government argued that logging visits to its websites is necessary for security reasons and is permissible because it can't link the information back to any specific person.

Breyer argued that those IP addresses constitute personal data—because the time, date and IP address together make it possible to identify the user—and, therefore, the collection and storage of that information is unlawful under Germany's data protection laws. He asked the government to delete any data that it collected on him unless that data aligned with allowed use for preventing hacking and other attacks.

“The German government was storing the dynamic IP addresses of the users of its website for security purposes,” Martin Munz, a partner at White & Case in Hamburg, told Bloomberg BNA May 12. “The court said that in this instance, the government is acting like a private company, and it can’t invoke the argument of security in order to save the dynamic IP addresses,” Munz said.

Breyer said the ruling felt short of his party's desire to end IP address retention.

“It’s a setback because I was hoping for a clear decision saying that, under existing European law, retaining such data amounted to indiscriminate data retention,” Breyer told Bloomberg BNA May 12.

Breyer said he and his party will lobby in Brussels to amend the EU privacy directive so that it bans companies from collecting metadata unless the data is used to prevent online purchase fraud or hacking. He also wants courts in EU member states to test whether Google, Amazon and other large companies have a “legitimate interest” in collecting and storing IP addresses.

“What is not proportionate is what Google is doing now and holding this data indefinitely,” Breyer said.

Complicated Issue

According to Munz, the advocate general's opinion could lead companies to seek consent from users.

“If you can get consent from users for other uses of the data, then the data can be used for other purposes,” Munz said. “With respect to cookies, you just have to inform the user and give him the option of opting out. But the use of IP address for other purpose could probably require an opt-in concept.”

Munz said the system would vary across the EU, as data protection laws are crafted by member state governments.

“In Germany, it might be an opt-in, whereas in the U.K. it could be an opt-out,” Munz said. “Companies will have to follow the rules set out by the data protection office in the country where they are located. This isn’t likely to be based on where the user is located.”

Munz said the issue could become more complicated if EU member states decide that the IP collection issue isn't just a data protection issue but also a consumer protection issue. In those cases, companies would have to tailor their polices to align with local rules.

“So for those companies situated in Ireland, they will claim that the Irish law will apply,” Munz said. “But Germans might make the case that this is a consumer protection issue and that their laws might have to apply as well to German users. Some German courts have ruled that this isn’t just a data protection issue but also a consumer protection issue. It’s a bit of a mess, really.”

To contact the reporter on this story: Michael Scaturro in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com

For More Information

Full text of the Advocate General's opinion is available at http://src.bna.com/eVk.