Privacy & Cybersecurity Law Blog

On October 28, 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes personal data under the EU Data Protection Directive 95/46/EC (“EU Data Protection Directive”) to the European Court of Justice (“ECJ”). The German court referred the question to the ECJ for a preliminary ruling in connection with a case that arose in 2008 when a German citizen challenged the German federal government’s storage of the dynamic IP addresses of users on government websites. The citizen’s claim initially was rejected by the court of first instance. The claim was granted, however, by the court of second instance to the extent it referred to the storage of IP addresses after the users left the relevant government websites. Subsequently, both parties appealed the decision to the German Federal Court of Justice.

The German Federal Court of Justice has suspended the proceedings and referred two questions to the ECJ:

• Whether, under Article 2A of the EU Data Protection Directive, an IP address is personal data (i.e., any information relating to an identified or identifiable natural person) when the IP address is stored by an Internet service provider(“ISP”) and a third party (e.g., the ISP) possesses sufficient additional data to identify the user.
• Whether the EU Data Protection Directive is contrary to a provision in the German Telemedia Act. According to the relevant provision of the Telemedia Act, a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment. In addition, the relevant provision of the Telemedia Act states that enabling the general functionality of the website does not permit user data to be processed after the user closes, or navigates away from, the website.