Privacy & Information Security Law Blog

In a recently published decision rendered on June 16, 2010, the Frankfurt am Main Higher Regional Court ruled that an Internet access provider may store IP addresses for seven days, and therefore, customers have no right to demand immediate deletion of their IP addresses.  The Court’s ruling upheld a decision originally rendered by the regional court of Darmstadt.

The claimant had requested that Deutsche Telekom AG delete the dynamic IP address assigned and stored for each Internet session immediately upon disconnection by a user.  Up to that point, the Internet provider had been retaining IP addresses for 80 days after each billing cycle.  In June 2007, the lower court granted the claimant request, imposing a maximum retention period of seven days for IP addresses.  The Internet provider reduced its IP address retention period accordingly, based on an agreement with the German federal data protection authority.

The claimant, however, was not satisfied with the seven-day grace period and decided to press for the deletion of IP addresses as soon as an Internet connection ends.  In the claimant’s view, such deletion is required by data protection law and is fundamental to the protection of personal privacy.  Because IP addresses may allow third-parties to monitor a user’s behavior on the Internet, and even create personality profiles based on the observed behavior, the claimant argued that a seven-day retention period is unacceptable.

The Court disagreed with these arguments, stating that there is no legal basis for requiring Deutsche Telekom AG to delete IP addresses immediately, and that IP addresses are necessary for invoicing purposes under the German Telecommunications Act.

In addition, the Court argued that the claimant had overlooked some aspects of his contractual relationship with the provider.  His subscription covered a combination of services for a flat fee, and allowed him to use his login to use other telecommunications accounts and access techniques.  These supplemental services may generate additional costs that must be calculated and documented by the service provider using stored IP addresses.  If the IP addresses were deleted right after the Internet connection ended, it would be impossible for the provider to allocate and invoice the supplemental services to the appropriate subscriber.

The retention of IP addresses also is permitted for security and technical reasons.  According to the provisions of the German Telecommunications Act, the retention of Internet traffic data is permitted to identify, limit or remedy disturbances or errors in a telecommunications system.  If the IP addresses were deleted immediately, it would be nearly impossible for a provider to resolve certain technical issues.  The claimant failed to demonstrate that the immediate deletion of IP addresses would not have an adverse effect on invoicing and detection of technical disturbances, thus the seven-day retention period agreed with the German federal DPA could not be challenged.

The Higher Regional Court’s decision is now on appeal to the German Federal Court of Justice (Az.: III ZR 146/10).