Yesterday saw an important judgement by the European Court of Justice that declared dynamic IP addresses should be classed as personal data in the same manner as static IP addresses. The judgement was the result of a case brought to the ECJ by a member of Germany’s Pirate Party, opposing how the government websites he was doing work for stored his dynamic IP address.
While a website is not able to identify a person from a dynamic IP address, ISPs keep a record of all the dynamic IP addresses used by a customer and therefore they can be used to identify an individual device.
The judgement at first seems a victory for privacy, as by being catagorised as personal data, dynamic IPs can no longer be stored without reason and are protected from misuse. This will lead to Germany’s Telemedia Act restricting the storing of dynamic IP addresses to seven days, the same as for other personal data.
However, the judgement acknowledges that data protection laws allow IP addresses and other personal data to be stored for a “period of time that absolutely allows [it] to fulfill it’s tasks.” As the German government “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites,” the court therefore ruled that it is acceptable for government websites to store IP addresses to “guarantee the security and the maintenance of its telecommunications networks.”
Sadly it seems that while German privacy laws prevent private companies from storing your data, they can do little to stop the government from doing so.
This is a complex situation, as while we welcome the acknowledgment that dynamic IP addresses are not truly anonymous and therefore should be considered personal data, the court’s judgement leaves open the possibility of government websites across the EU storing all personal information gathered indefinitely, arguing that it is necessary for security.