Privacy & Information Security Law Blog

On February 25, 2016, the Court of Justice of the European Union (“CJEU”) heard arguments on two questions referred by the German Federal Court of Justice (Bundesgerichtshof). The first question was whether or not IP addresses constitute personal data and therefore cannot be stored beyond what is necessary to provide an Internet service. The German court referred the questions to the CJEU for a preliminary ruling in connection with a case that arose in 2008 when a German citizen challenged the German federal government’s storage of the dynamic IP addresses of users on government websites. The citizen’s claim initially was rejected by the court of first instance. The claim was granted, however, by the court of second instance to the extent it referred to the storage of IP addresses after the users left the relevant government websites. Subsequently, both parties appealed the decision to the German Federal Court of Justice. The CJEU may follow its 2011 decision in which it confirmed that IP addresses are personal data.

The other question referred to the CJEU is whether or not the EU Data Protection Directive 95/46/EC is contrary to a provision in the German Telemedia Act. According to the relevant provision of the Telemedia Act, a website provider may collect and process the personal data of users without their consent only to the extent it is necessary to (1) enable the general functionality of the website or (2) arrange payment.