Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Tuesday, June 25, 2024 | Back issues
Courthouse News Service Courthouse News Service

Cyber Threats Justify Keeping EU User Data

(CN) - Despite Europe's stringent data-protection rules, its high court held Wednesday that website operators may store limited personal data - the IP addresses of users, in this case - to protect themselves against cyberattacks.

Patrick Breyer sued Germany seeking to bar government agencies from registering and storing his internet protocol addresses when he used their websites. The agencies register and store users' IP addresses together with a date and time stamp in order to prevent cyberattacks and to aid in criminal proceedings should one occur.

Under EU law, IP addresses are considered personal data.

However, the German court hearing Breyer's case asked the European Court of Justice whether dynamic IP addresses - which change each time a user connects to the internet - are also considered personal data, given that unlike static IP addresses, only the internet service provider has the information necessary to identify the user.

The German court also asked whether EU law allows website operators to collect IP addresses in order to keep their websites running, noting the academic consensus in Germany is that operators should delete the data at the end of a user's session unless it's needed for billing purposes.

In its 7-page opinion, the Luxembourg-based high court agreed that dynamic IP addresses also constitute personal data, since a user can be identified easily enough by contacting their service provider. And in the event of a cyberattack, website operators have legal channels to obtain information from the service providers and pursue criminal charges.

While EU law bars member states from allowing website operators to collect and use personal data without users' consent generally, the court said the interpretation of German law that would have operators delete the IP addresses at the end of a session may go too far and leave the agencies' websites vulnerable to a cyberattack that can't be traced.

The high court's decision is binding on the German court, which must render its decision accordingly.

Categories / Uncategorized

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.