Feeds

IP addresses in server logs not personal data: Ruling

German court OKs keeping them

Internet Security Threat Report 2014

A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.

The issue has never been tested in a UK court but the view of the German court is consistent with guidance (pdf) published last year by the UK's Information Commissioner.

Search engine companies and other web publishing operations store IP addresses in a bid to identify users and their usage patterns. Privacy activists have argued that IP addresses should count as personal data under data protection legislation. Publishers have claimed that while IP addresses can be personal data, they are not always necessarily so.

In a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country's Privacy Act because the information cannot be easily used to determine a person's identity.

The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.

The only other way for a person's identity to be determined by the IP address would be for the information to be transferred to a third party illegally, the court said.

In an automated translation from the German, the ruling said that IP addresses lack the necessary quality of 'determinability' to be personal data. That means that the identity of the person behind the data can be determined without disproportionate burden and using normally available knowledge and tools.

The court said that web publishers, therefore, could store IP addresses in server log files which keep a track of activity on a web page.

The case was brought by an individual who argued that a web publisher's storing of IP addresses in those log files was a privacy violation because the information could be used to identify him and link his identity to his web surfing activity.

The court disagreed and dismissed his arguments.

In 2007 the UK's Information Commissioner published guidance which said that in isolation, IP addresses will not be classed as personal data. They can become personal data, though, when used to build a profile on an individual or in the hands of an ISP.

"In practice, it is difficult to use IP addresses to build up personalised profiles," said the guidance. "Many IP addresses, particularly those allocated to individuals, are 'dynamic'. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.

"So if it is only the ISP who can link the IP address to an individual it is difficult to see how the Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information," it said.

The guidance adds: "Some IP addresses are 'static', and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling."

The Article 29 Working Party, the committee of Europe's privacy watchdogs, has said (pdf) that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data.

"Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators," it said in a report in April.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.