By Jan Pohle, Partner, Cologne
(Decision of 28 October 2014, VI ZR 135/13)
The German Federal Supreme Court had to decide whether the Federal Republic of Germany may save the IP address of a visitor to their websites beyond the termination of the respective user activity. The Supreme Court decided first to suspend the proceedings and refer two questions on Directive 95/46/EC (the so-called EC Data Protection Directive) to the European Court of Justice (ECJ).
The plaintiff, a member of the state parliament of Schleswig Holstein and a member of the Pirate Party, applied for an order for the defendant to refrain from using its assigned IP to store addresses beyond the end of the respective user activity in an action against the Federal Republic of Germany. The defendant contends that storing the IP addresses is necessary to prevent attacks on online deals and pursue prosecution of those involved. For this purpose, the defendant not only stores the dynamic IP addresses of visitors but also the particular time of the visit to the respective website.
While the district court dismissed the action, the Court of Appeal upheld the complaint in part. Thus, the district court awarded the plaintiff the injunction insofar as it relates to the storage of IP addresses in conjunction with the time of each visit to the site and to the extent specified by the applicant during the process of his personal use. Both the plaintiff and the defendant have appealed that decision.
The Supreme Court decided to stay the proceedings and refer two questions on the interpretation of the EC Data Protection Directive to the ECJ for a preliminary ruling.
The plaintiff’s claim for injunctive relief requires, first, that the disputed dynamic IP addresses in the specific case are “personal data” that enjoy the protection of the data protection law harmonized by the Directive. The Supreme Court considers it doubtful whether this can be the case if the applicant does not indicate his personal details during the process. Thus, in this specific case, the responsible entity would have had no information that permitted the identification of the applicant based solely on the IP address. The plaintiff’s access provider is also expected not to provide information about the plaintiff’s identity to the responsible authorities of the defendant. For this reason, the Supreme Court has referred to the ECJ the question of whether Article 2a of the EC Data Protection Directive should be interpreted as meaning that an IP address that a service provider stores in connection with a visit to his website will already constitute a piece of personal data only if a third party has the additional knowledge necessary to identify the relevant person.
If it is concluded that the aforementioned data is “personal data,” statutory permission is required for storage (§ 12 para. 1 TMG), if, as in this case, user consent is missing. According to the defendant, it is necessary for him to store the IP addresses to ensure and maintain the safety and functionality of its telemedia. However, it is questionable whether this is sufficient for a permit pursuant to § 15 para. 1 TMG. Under this provision, the provider may collect and use a user’s personal information to the extent necessary to permit the use of the telemedia and for billing purposes. In the Supreme Court’s view, systematic considerations suggest that this provision only permits data collection and use in order to enable a specific usage relationship and that the data must be deleted at the end of the respective user activity if they are not needed for billing purposes. The Supreme Court considers it possible that nature of Article 7f of the EC Data Protection Directive could demand a broader interpretation. For this reason, the Supreme Court has referred to the ECJ the question of whether the EC Data Protection Directive precludes the content of § 15 para. 1 TMG, a provision of national law.
Relevance of the Decision
The order of the Supreme Court is to be welcomed. It offers the Court the opportunity to clarify the issue of whether dynamic IP addresses are considered “personal data” under the provisions of data protection law. This is currently very controversial. Some argue that dynamic IP addresses in the server log files of telemedia services providers are not personal data because the information that is required to identify the persons concerned is only available to the access provider. Others take the opposite view and justify this by saying that all the information that is theoretically available must be taken into account when considering whether data qualify as “personal data”. It remains to be seen whether the ECJ will use the questions referred to it in order to make a fundamental decision regarding the legal questions that have been raised.