(Dieser Artikel ist auch in deutscher Sprache verfügbar)
On 30 September 2008, the Munich District Court decided in a provisional ruling that website operators were not violating the data protection legislation when storing IP addresses of their visitors as IP addresses alone are not considered personal data.
The case was brought to the court by an individual who argued that storing IP addresses in log files by a web publisher represents a privacy violation because the information could be used to identify him and relate his identity to his web surfing activity. The court dismissed his arguments and ruled against his claim.
The court considers IP addresses are not personal data under the German Privacy Act because the information cannot be easily used to determine a person's identity and an ISP could not tell a third party who was using a particular IP address at a particular time without a legal basis. Such information is provided by ISPs only when ordered by a court.
The ruling also said that IP addresses lacked the necessary quality of "determinability" to be personal data, meaning the identity of the person behind the information cannot be established without a significant effort and by using "normally available knowledge and tools."
However, we should not over-estimate the relevance of this decision.It was taken by a local court with no IT experts and the judge did not discuss the dissenting decisions from higher level Berlin courts. The decision only applies to dynamic IP addresses.
Privacy activists have argued that IP addresses should count as personal data under data protection legislation. The Article 29 Working Party has also said that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data. "Unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side. These considerations will apply equally to search engine operators," said a report issued by the Article 29 Working Party in April.
Regarding the fact that IP addresses are not considered personal data by some, in an interview given to EurActiv on the data protection rules, the European Data Protection Supervisor Peter Hustinx explained : "As of today there is some uncertainty, and this is why we will probably see a study from the Commission to shed light on this. But the common view of the data protection specialists is that in many situations IP addresses are personal data. Therefore websites, Internet Service Providers and other parties should ensure data protection compliance. This is an important thing to emphasise." He also believes that The European Commission should clarify the application of existing data protection rules in relation to RFID in order to avoid "big social dangers".
German court says IP addresses in server logs are not personal data
(14.10.2008)
http://www.out-law.com/page-9505
Hustinx: Tracking people 'easier' with RFID (3.10.2008)
http://www.euractiv.com/en/infosociety/hustinx-tracking-people-easier-...
AG, Munich: IP addresses may be used by Web site operators are stored (only
in German, 7.10.2008)
http://www.kremer-legal.com/2008/10/07/ag-munchen-ip-adressen-durfen-v...