IP addresses NOT personal data in Germany


wowow A German court has ruled that IP addresses should not be considered personal data because IP addresses cannot identify the user. The ruling is consistent with guidance published by the UK Information Commissioner last year, but clashes with the April Article 29 Working Party opinion that IP addresses should be considered personal data. Read more..

This sort of makes sense today. After all we have not yet arrived at a time in the future when an IP address can be used to identify us, that is, not just assume that if this person uses this computer it can identify the user. One day as devices become more ubiquitous, I guess that will come 😉

2 comments

  1. IP addresses should not be considered personal data because IP addresses cannot identify the user.

    That’s not 100% correct. The headline is “German court says IP addresses in server logs are not personal data”. In more detail the article says:

    in a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country’s Privacy Act because the information cannot be easily used to determine a person’s identity.

    The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.

    In other words, the IP addresses are of no use to the website operator because normally they can’t get hold of the ISP logs which would allow them to map the addresses to subscribers.

    If you’re a government agency or police force then of course the rules are somewhat different.

  2. thanks for the clarification Victor! I should write something not 100% accurate more often so I get more comments on my blog;-)

    and of course we all trust our government authorities to use this information wisely, once they get hold of it 😉

    this reminds me of when personal data is anonymised (i.e. stripped of PII), a court in Scotland ruled that anonymised (medical) data was still personal because even though the PII had been stripped, the patterns in the data could nonetheless link back to the data subjects (children in this example). Of course it is not the same as this example with IP addresses, but to say that IP addresses in server logs are not personal data but otherwise I guess this means it is, just doesn’t make sense

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s