In its judgment of 19 October 2016 (C-582/14), the Court of Justice ruled on the preservation of dynamic IP addresses by websites in the fight against cyberattacks. The judgment is important for two reasons. On the one hand, the judgment clarifies the scope of the concept of "personal data". On the other hand, it confirms that protecting a website from cyberattacks is a legitimate interest for website operators and provides a legal basis under certain conditions for the storage of personal data such as dynamic IP addresses.
Why is this judgment relevant to you as a company?
In summary, this judgment is relevant to you for two reasons:
First, the concept of "personal data" is interpreted very broadly. This judgment confirms that you cannot just assume that you do not process personal data if you are not in a position to identify individuals directly. Although the judgment was rendered with regard to data held by one particular third party, the internet service provider, it is not inconceivable that the interpretation also applies to data held by other third parties. If third parties, whom you can reasonably approach, hold additional information which, combined with your data, enable you to identify a person, you are processing personal data.
Secondly, protecting your site against cyberattack is a legitimate interest which (subject also to certain other conditions) permits you to process personal data from your website visitors.
What is at stake: the processing of personal data
This case is another episode in the security versus privacy debate. The judgment of the European Court of Justice ruled on a dispute between a German citizen and the German government. Patrick Breyer visited several websites of the German federal government and found that these websites recorded logs of all visitors. The German government stored various data relating to the browsing by the visitor even after the connection was ended, including the search terms entered and the IP address of the visitor, for the purposes of protection against cyberattacks and enabling prosecution of attackers.
Internet service providers assign each computer an IP address which enables communication with a website. This address is passed to the server where the visited website is stored. Based on this address, it is possible to identify the visitor's computer. The service provider can assign a dynamic IP address, which changes each time you connect to the internet (e.g. visiting a website). Internet service providers can also assign a static IP address, which is permanent for the device (e.g., a mail server).
The characteristic feature of dynamic IP addresses is that a website operator cannot identify the visitor solely on the basis of the dynamic IP address itself. In order to do so, the provider would need more information – which is only available to the internet service provider and which the internet service provider cannot pass on to the website operator without a legal basis.
Dynamic IP addresses can be personal data for website operators even though they cannot directly identify a visitor on that basis
The website operator in this case only had information about dynamic IP addresses, via which he himself could not directly identify website visitors. He would only be able to do so if he were to combine his data with the additional information held by the internet service provider.
The Court had to decide in this case whether website visitors (like Breyer) are identifiable in these circumstances, and therefore whether dynamic IP addresses can be considered as personal data with regard to the website operator.
With that question, the Court was given the opportunity to take a stance in a debate in which two views on the notion of identifiability are advanced. One view is based on an objective criterion, where data are personal data even if only a third party is able to determine the identity of the individual. This view gives a very broad interpretation to the concept of personal data, so that dynamic IP addresses of visitors are personal data for the website operator. The other view assumes a relative criterion, where data are personal data if the person who has access to the data is capable, using his own resources, of identifying a natural person. In this case, the dynamic IP addresses of visitors are not personal data for the website operator.
The Court agreed with the first view and ruled that dynamic IP addresses are personal data for a website operator because, by using the additional information that he can request from the internet provider, he has legal means of identifying the visitor. The Court added that this is not the case when the identification of a person is (i) prohibited by law, or (ii) practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, so that, in reality, the risk of identification appears to be insignificant.
Websites may process this information in protection against cyberattacks
Under European data protection legislation, websites are allowed to process personal data without the consent of the data subject in a limited number of cases. This is possible, for example, if it is necessary to protect a legitimate interest of the website operator or a third party to whom the data are entrusted, as long as it does not disproportionately infringe the fundamental rights and freedoms of the visitor.
Breyer considered that the German authorities disproportionately violated his right to data protection by tracking data for purposes other than simply repairing website failures. Breyer referred to a German law which provides that website operators, in cases where there is no consent given by the visitor, can only keep data as far and as long as this is necessary for the practical use of the website service or for billing purposes.
The German government countered that the German law in question prevented data processing on the basis of other legitimate interests, one of which being safeguarding the proper functioning of the service. The proper functioning of a website is at risk if the site becomes a victim of cybercrime. In particular, websites are vulnerable to DDoS attacks. This entails that many devices connect to a website at the same time, which can render the website unavailable. During such an attack the website's security is weakened, enabling hackers to penetrate the database and drain data.
The European Court of Justice sided with the German government and opted for a broad approach to the interests of the data controller by confirming that protection against cybercrime can be a legitimate interest. This is certainly an important ruling for the bolstering of cybersecurity in the European Union.