Feeds

IP addresses in server logs not personal data: Ruling

German court OKs keeping them

Providing a secure and efficient Helpdesk

A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.

The issue has never been tested in a UK court but the view of the German court is consistent with guidance (pdf) published last year by the UK's Information Commissioner.

Search engine companies and other web publishing operations store IP addresses in a bid to identify users and their usage patterns. Privacy activists have argued that IP addresses should count as personal data under data protection legislation. Publishers have claimed that while IP addresses can be personal data, they are not always necessarily so.

In a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country's Privacy Act because the information cannot be easily used to determine a person's identity.

The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.

The only other way for a person's identity to be determined by the IP address would be for the information to be transferred to a third party illegally, the court said.

In an automated translation from the German, the ruling said that IP addresses lack the necessary quality of 'determinability' to be personal data. That means that the identity of the person behind the data can be determined without disproportionate burden and using normally available knowledge and tools.

The court said that web publishers, therefore, could store IP addresses in server log files which keep a track of activity on a web page.

The case was brought by an individual who argued that a web publisher's storing of IP addresses in those log files was a privacy violation because the information could be used to identify him and link his identity to his web surfing activity.

The court disagreed and dismissed his arguments.

In 2007 the UK's Information Commissioner published guidance which said that in isolation, IP addresses will not be classed as personal data. They can become personal data, though, when used to build a profile on an individual or in the hands of an ISP.

"In practice, it is difficult to use IP addresses to build up personalised profiles," said the guidance. "Many IP addresses, particularly those allocated to individuals, are 'dynamic'. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.

"So if it is only the ISP who can link the IP address to an individual it is difficult to see how the Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information," it said.

The guidance adds: "Some IP addresses are 'static', and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling."

The Article 29 Working Party, the committee of Europe's privacy watchdogs, has said (pdf) that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data.

"Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators," it said in a report in April.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
4chan outraged by Emma Watson nudie photo leak SCAM
In the immortal words of Shaggy, it wasn't me us ... amirite?
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.