IP addresses in server logs not personal data: Ruling
German court OKs keeping them
A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.
The issue has never been tested in a UK court but the view of the German court is consistent with guidance (pdf) published last year by the UK's Information Commissioner.
Search engine companies and other web publishing operations store IP addresses in a bid to identify users and their usage patterns. Privacy activists have argued that IP addresses should count as personal data under data protection legislation. Publishers have claimed that while IP addresses can be personal data, they are not always necessarily so.
In a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country's Privacy Act because the information cannot be easily used to determine a person's identity.
The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.
The only other way for a person's identity to be determined by the IP address would be for the information to be transferred to a third party illegally, the court said.
In an automated translation from the German, the ruling said that IP addresses lack the necessary quality of 'determinability' to be personal data. That means that the identity of the person behind the data can be determined without disproportionate burden and using normally available knowledge and tools.
The court said that web publishers, therefore, could store IP addresses in server log files which keep a track of activity on a web page.
The case was brought by an individual who argued that a web publisher's storing of IP addresses in those log files was a privacy violation because the information could be used to identify him and link his identity to his web surfing activity.
The court disagreed and dismissed his arguments.
In 2007 the UK's Information Commissioner published guidance which said that in isolation, IP addresses will not be classed as personal data. They can become personal data, though, when used to build a profile on an individual or in the hands of an ISP.
"In practice, it is difficult to use IP addresses to build up personalised profiles," said the guidance. "Many IP addresses, particularly those allocated to individuals, are 'dynamic'. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.
"So if it is only the ISP who can link the IP address to an individual it is difficult to see how the Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information," it said.
The guidance adds: "Some IP addresses are 'static', and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling."
The Article 29 Working Party, the committee of Europe's privacy watchdogs, has said (pdf) that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data.
"Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators," it said in a report in April.
Copyright © 2008, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: Network DDoS protection