ECJ: Website operators can store certain personal data to prevent cyberattacks

The European Court of Justice (ECJ) has ruled that website operators may have a legitimate interest in storing certain personal data relating to its visitors in order to protect itself against cyberattacks.

The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify the visitor concerned with additional information about him which is held by the internet access provider

Mr Patrick Breyer brought an action before the German courts seeking an injunction to prevent websites, run by the Federal German institutions that he consults, from registering and storing his internet protocol addresses (‘IP addresses’). Those institutions register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.

The Federal Court of Justice, Germany has made a reference to the Court of Justice asking whether in that context ‘dynamic’ IP addresses also constitute personal data, in relation to the operator of the website, and thus benefit from the protection provided for such data.

A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider. Therefore, only Mr Breyer’s internet service provider has the additional information necessary to identify him.

Furthermore, the German court asks whether the operator of a website must, at least in principle, have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website. It observes, in that regard, that most academic commentators in Germany interpret the relevant German legislation as meaning that those data must be deleted at the end of the consultation period unless they are required for billing purposes.

In today’s judgment, the Court replies, first of all, that a dynamic IP address registered by an ‘online media services provider’ (that is by the operator of a website, in the present case the German Federal institutions) when its website, which is accessible to the public, is consulted constitutes personal data with respect to the operator if it has the legal means enabling it to identify the visitor with the help of additional information which that visitor’s internet service provider has.

The Court observes, in that regard, that in Germany there appear to be legal channels enabling the online media services provider to contact the competent authority, in particular, in the event of cyberattacks, so that the latter may take the steps necessary to obtain that information from the internet service provider and subsequently bring criminal proceedings.

Second, the Court states that EU law precludes the legislation of a Member State under which an online media services provider may collect and use a visitor’s personal data, without his consent, only to the extent that it is necessary to facilitate and invoice the specific use of services by that visitor, so that the objective aiming to ensure the general operability of those services cannot justify the use of such data after those services have been accessed.

The Court recalls that, according to EU law, the processing of personal data is lawful, inter alia, if it is necessary to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedoms of the data subject does not override that objective.

The German legislation, as interpreted by the majority of legal commentators, reduces the scope of that principle, by excluding the possibility of balancing the objective of ensuring the general operability of online media against the interest or the rights and freedoms of visitors.

In that context, the Court emphasises that the Federal German institutions, which provide online media services, may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites.