Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
May 12 — A European Court of Justice (ECJ) Advocate General proposed May 12 that Internet protocol (IP) addresses are personal data protected by European Union data protection laws, but companies like Google Inc. and Amazon.com Inc. can continue to collect such data to prevent attacks on their systems.
The ECJ must still rule on the matter, but the opinion written by Advocate General Manuel Campos Sánchez-Bordona would give courts in EU member states the right to weigh in on whether companies’ metadata collection practices align with applicable EU laws.
“The fact that it might be difficult to combine different data sets to identify a user by his or her IP address doesn’t mean that this doesn’t present a danger to the user,” Sánchez-Bordona wrote.
The underlying case, initially filed January 2008 at the Local Court (Amtsgericht) of Berlin-Tiergarten by Patrick Breyer, a lawmaker in the Parliament of the German state of Schleswig-Holstein, challenged the German federal government's storage of dynamic IP addresses of those surfing government websites (13 PVLR 1889, 11/3/14). The German government argued that logging visits to its websites is necessary for security reasons and is permissible because it can't link the information back to any specific person.
Breyer argued that those IP addresses constitute personal data—because the time, date and IP address together make it possible to identify the user—and, therefore, the collection and storage of that information is unlawful under Germany's data protection laws. He asked the government to delete any data that it collected on him unless that data aligned with allowed use for preventing hacking and other attacks.
“The German government was storing the dynamic IP addresses of the users of its website for security purposes,” Martin Munz, a partner at White & Case in Hamburg, told Bloomberg BNA May 12. “The court said that in this instance, the government is acting like a private company, and it can’t invoke the argument of security in order to save the dynamic IP addresses,” Munz said.
Breyer said the ruling felt short of his party's desire to end IP address retention.
“It’s a setback because I was hoping for a clear decision saying that, under existing European law, retaining such data amounted to indiscriminate data retention,” Breyer told Bloomberg BNA May 12.
Breyer said he and his party will lobby in Brussels to amend the EU privacy directive so that it bans companies from collecting metadata unless the data is used to prevent online purchase fraud or hacking. He also wants courts in EU member states to test whether Google, Amazon and other large companies have a “legitimate interest” in collecting and storing IP addresses.
“What is not proportionate is what Google is doing now and holding this data indefinitely,” Breyer said.
According to Munz, the advocate general's opinion could lead companies to seek consent from users.
“If you can get consent from users for other uses of the data, then the data can be used for other purposes,” Munz said. “With respect to cookies, you just have to inform the user and give him the option of opting out. But the use of IP address for other purpose could probably require an opt-in concept.”
Munz said the system would vary across the EU, as data protection laws are crafted by member state governments.
“In Germany, it might be an opt-in, whereas in the U.K. it could be an opt-out,” Munz said. “Companies will have to follow the rules set out by the data protection office in the country where they are located. This isn’t likely to be based on where the user is located.”
Munz said the issue could become more complicated if EU member states decide that the IP collection issue isn't just a data protection issue but also a consumer protection issue. In those cases, companies would have to tailor their polices to align with local rules.
“So for those companies situated in Ireland, they will claim that the Irish law will apply,” Munz said. “But Germans might make the case that this is a consumer protection issue and that their laws might have to apply as well to German users. Some German courts have ruled that this isn’t just a data protection issue but also a consumer protection issue. It’s a bit of a mess, really.”
To contact the reporter on this story: Michael Scaturro in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Jimmy H. Koo at email@example.com
Full text of the Advocate General's opinion is available at http://src.bna.com/eVk.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)