A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company’s server do not constitute “personal data” under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), “personal data” is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes “personal data” is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is “no doubt” IP addresses do in fact constitute “data relating to an identifiable person” under the EU Data Protection Directive.
However, the German Court held otherwise. In its view, IP addresses are too far removed from an identifiable natural person to constitute “personal data.” In the court’s view, a string of numbers does not reveal the identity of an individual– in order to do so, one would have to query the user’s internet service provider (ISP) to discover the user’s identity. However, in Germany, it would be (in principle) unlawful to obtain the identity of an individual from an IP address from an ISP. It is this “additional step” that distinguishes IP addresses from other types of information that would constitute personal data, where the identity of an individual is readily discernable.
The court’s decision is not the final word in Germany. The case may very well be appealed, and only a decision by the German Federal High Court would truly resolve the issue. Nonetheless, the opinion is sure to influence courts throughout the EU that will no doubt be grappling with this issue. Indeed, a court in Berlin has previously opined just the contrary. In light of this uncertainty, companies that store EU citizens’ IP addresses on their server for any prolonged length of time would be well advised to consult with legal counsel.