Feeds

IP addresses in server logs not personal data: Ruling

German court OKs keeping them

Top 5 reasons to deploy VMware with Tegile

A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.

The issue has never been tested in a UK court but the view of the German court is consistent with guidance (pdf) published last year by the UK's Information Commissioner.

Search engine companies and other web publishing operations store IP addresses in a bid to identify users and their usage patterns. Privacy activists have argued that IP addresses should count as personal data under data protection legislation. Publishers have claimed that while IP addresses can be personal data, they are not always necessarily so.

In a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country's Privacy Act because the information cannot be easily used to determine a person's identity.

The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.

The only other way for a person's identity to be determined by the IP address would be for the information to be transferred to a third party illegally, the court said.

In an automated translation from the German, the ruling said that IP addresses lack the necessary quality of 'determinability' to be personal data. That means that the identity of the person behind the data can be determined without disproportionate burden and using normally available knowledge and tools.

The court said that web publishers, therefore, could store IP addresses in server log files which keep a track of activity on a web page.

The case was brought by an individual who argued that a web publisher's storing of IP addresses in those log files was a privacy violation because the information could be used to identify him and link his identity to his web surfing activity.

The court disagreed and dismissed his arguments.

In 2007 the UK's Information Commissioner published guidance which said that in isolation, IP addresses will not be classed as personal data. They can become personal data, though, when used to build a profile on an individual or in the hands of an ISP.

"In practice, it is difficult to use IP addresses to build up personalised profiles," said the guidance. "Many IP addresses, particularly those allocated to individuals, are 'dynamic'. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.

"So if it is only the ISP who can link the IP address to an individual it is difficult to see how the Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information," it said.

The guidance adds: "Some IP addresses are 'static', and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling."

The Article 29 Working Party, the committee of Europe's privacy watchdogs, has said (pdf) that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data.

"Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators," it said in a report in April.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.