In a September 8, 2010 opinion, Switzerland’s highest court announced that Internet Protocol (IP) addresses are personal information protected by the country’s data protection laws. The Swiss Federal Supreme Court’s ruling in In re Logistep AG, BGer, No. 1C-285/2009, 1C_295/2009, 9/8/10, adds to the longstanding debate over whether such information is personal information despite the fact that a single IP address can be attributed to more than one computer user. While the debate is far from over, the Logistep decision makes clear that businesses collecting information about individuals’ Internet activities, particularly those with operations in Europe, must treat IP addresses with care, as they may be protected by privacy laws in some jurisdictions.
The Logistep case involved a service provider that collected information about peer-to-peer filing sharing activity and sold this information to copyright holders who used it to identify and sue potential copyright infringers. In January 2008, Switzerland’s data protection authorities (FDCIP) asked Logistep to stop its peer-to-peer monitoring activities. The FDCIP alleged that Logistep’s activities violated the Swiss Data Protection Act since they were unknown to computer users and circumvented certain telecommunications privacy rights that could only be waived in criminal proceedings. Logistep ignored the FDCIP’s request, and quickly became the subject of an FDCIP enforcement action. The administrative court overseeing the FDCIP’s enforcement action ruled that IP addresses did constitute personal information. Nonetheless, the court allowed Logistep to continue its monitoring activities because, in its view, the interests of copyright holders outweighed the interests of computer users seeking to have their IP addresses protected.
On appeal, the Federal Supreme Court affirmed the lower court’s conclusion that IP addresses are personal information. But the Supreme Court reversed the lower court’s conclusion regarding Logistep’s monitoring activities, finding that the contested conduct should be stopped because it involved a major invasion of privacy and could not be justified by any overriding interest. Consequently, as the FDCIP announced on September 9, 2010, Logistep may no longer “collect or pass on any further data” in furtherance of its contested copyright enforcement activities.