The European Court of Justice (ECJ) ruled today (19 October) that Germany’s government may collect and save the log data of visitors to its websites, in order for it to better resist hackers. EurActiv Germany reports.
The Luxembourg court dismissed a case brought by the Pirate Party’s Schleswig-Holstein leader, Patrick Breyer, who claimed that Berlin’s practice of recording such information is a breach of data protection laws.
Breyer had taken his concerns to Germany’s federal court, who then referred the case to the ECJ, asking for a judgment on whether a dynamic IP address can be protected as a piece of “personal data” if the access provider requires additional information to identify the user.
German industries have urged caution when the European Commission presents its free flow of data initiative next month, warning that excessive open data requirements risk exposing trade secrets and chilling investments in the digital economy.
Today’s decision means the ECJ does not agree with this interpretation. As a result, the federal government is allowed to continue recording the log data of its websites’ users, in order to safeguard against hackers. The decision is very important for many internet service providers.
The German government will now be able to collect and store the dynamic IP addresses of its websites’ users, in addition to the info it already records, such as when a webpage was viewed and for how long.
The ECJ stipulated that this would only come into the realms of data protection if access providers could identify the internet users with further technical information.
European Commission officials have struck a deal that could put a clause guaranteeing international data flows into a trade agreement with 22 countries outside the bloc, including the United States and Australia.
Germany’s data protection officer, Andrea Voßhoff, welcomed the federal court’s referral to the ECJ back in October 2014. Whether IP addresses should be considered pieces of personal information and therefore safeguarded by data protection rules will be debated for years to come.
The EU regulation on data protection, which is still a work-in-progress, requires “a uniform interpretation and a harmonised approach to fundamental issues”, explained Voßhoff.
“The EU does not protect internet users from their internet usage behaviour being monitored en masse,” said Breyer, in response to today’s verdict. He complained that internet users will continue to have their “private interests and preferences collected and passed on”, urging the EU to “close this unacceptable gap in its data protection as quickly as possible, by introducing a new law!”