Dynamic IP addresses are your personal property, CJEU rules
Property? Arrrr... no
The CJEU has affirmed personal property rights over dynamically allocated IP addresses, a move which brings European data protection laws into play.
The case was brought by German Pirate Party politician Patrice Breyer, who first brought an action restraining the German Federal Government from storing IP addresses, allocated by his ISP, that were used when he accessed its websites. He lost his case but appealed.
The German appeals court agreed with Breyer that an IP address could be used to identify an individual… but only up to a point. Only the ISP can make the identification, but Breyer’s beef wasn’t with the ISP, but a media provider, which in this case was the German state.
“The data stored does not enable Mr Breyer to be directly identified,” the CJEU noted in its ruling yesterday. “The operators of the websites at issue in the main proceedings can identify Mr Breyer only if the information relating to his identity is communicated to them by his internet service provider. The classification of those data as ‘personal data’ thus depends on whether Mr Breyer is identifiable.”
ISPs argue that they need to retain some subscriber IP information if only to help thwart DOS attacks on their networks and their customers.
The CJEU concluded that since Article 2(a) of Directive 95/46 states than “an identifiable person is one who can be identified, directly or indirectly”, [our emphasis] “ in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified.”
However in reality, that would be “practically impossible” because connecting a dynamic IP address to the ISP’s subscriber information means a “disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”
On the other question asked of the CJEU, the Court affirmed Article 7 of the Data Protection Directive, which states that a media provider may collect and use personal data only “to facilitate and charge for the specific use of those services,” a broad statement which leaves things as they were.
The ironies here are delicious, and take your time to savour them.
Pirates have struggled with the concept of virtual property, resulting in some odd and intellectually incoherent positions. IP addresses are a form of virtual property. So, too, are the rights over one’s inventions, creativity, and other things that distinguish and define your identity.
This CJEU ruling wins European citizens a property right over something (an IP address) that they didn’t create, (the network operator “creates” the address), and which they cannot control.
Roll that one around for a minute.
Arrrr... hang on
The Pirate Party's strong antipathy towards virtual property rights that belong to other people resulted in a catastrophic decision by the CJEU last month. The case was Tobias Mc Fadden v Sony Music Entertainment Germany GmbH and the ruling is here. [PDF] It effectively nuked anonymity and open public Wi-Fi networks in Europe, by taking a dogmatic stand on other people’s property rights. The German Pirates, presumably including Breyer, argued that the right of an information service provider should trump the rights of the property owner.
The CJEU, in the case of McFadden vs Sony respectfully disagreed: one right doesn’t extinguish another. The result is that the CJEU advised open hotspot operators to require names, or in the Court's words: "in order to ensure that deterrent effect, it is necessary to require users to reveal their identity to be prevented from acting anonymously before obtaining the required password."
Breyer blamed everyone but the Pirates for the result. ®
Sponsored: Becoming a Pragmatic Security Leader