German court says ISPs do not violate the law by storing IP addresses

On 30 September 2008, the Munich District Court decided in a provisional ruling that website operators were not violating the data protection legislation when storing IP addresses of their visitors as IP addresses alone are not considered personal data.

(...) The court considers IP addresses are not personal data under the German Privacy Act because the information cannot be easily used to determine a person's identity and an ISP could not tell a third party who was using a particular IP address at a particular time without a legal basis. Such information is provided by ISPs only when ordered by a court.

The ruling also said that IP addresses lacked the necessary quality of "determinability" to be personal data, meaning the identity of the person behind the information cannot be established without a significant effort and by using "normally available knowledge and tools."

(...) Privacy activists have argued that IP addresses should count as personal data under data protection legislation. (...)

Regarding the fact that IP addresses are not considered personal data by some, in an interview given to EurActiv on the data protection rules, the European Data Protection Supervisor Peter Hustinx explained : "As of today there is some uncertainty, and this is why we will probably see a study from the Commission to shed light on this. But the common view of the data protection specialists is that in many situations IP addresses are personal data. Therefore websites, Internet Service Providers and other parties should ensure data protection compliance. This is an important thing to emphasise." He also believes that The European Commission should clarify the application of existing data protection rules in relation to RFID in order to avoid "big social dangers".

Related documnets

Back to top