In its ruling of May 15, 2017, the BGH (case reference: VI ZR 135/13, press release) takes up the requirements of the ECJ in the matter of dynamic IP addresses (C-582/14).
Dynamically assigned IP addresses are “personal data” within the meaning of data protection law.
Consequently, the IP address may only be stored under the conditions of Section 15 para.
1 TMG may be stored.
Storage of dynamically assigned IP addresses without consent
The decision was based on a dispute between pirate politician Patrick Breyer and the Federal Republic of Germany.
Breyer was of the opinion that the storage of dynamic IP addresses by the federal government over a period of three months was unlawful.
This made tracking possible, even without the consent of the Internet users concerned.
The German government opposed the view of the data protectionists.
Storing the dynamic IP address is necessary to ensure the secure operation of web servers and to ward off attacks at an early stage.
The identification of attackers also plays an important role in the fight against cybercrime.
In its defense, it also stated that without the help of access providers, there would be no possibility of identifying dynamically assigned IP addresses.
ECJ: dynamic IP addresses are “personal data“
In 2013 (judgment of 31.01.2013 – 57 S 87/08), the Berlin Regional Court assumed that the storage was only impermissible if the website operator itself could identify the visitors using the IP addresses.
However, both Breyer and the German government then lodged an appeal with the Federal Court of Justice.
The latter referred the case to the ECJ.
In its ruling of May 15, 2017, the BGH referred to the ECJ ruling and confirmed Breyer’s opinion.
Dynamically assigned IP addresses are personal data within the meaning of Section 12 para.
1 and 2 of the German Telemedia Act (TMG) in conjunction with Section 3 para.
1 BDSG.
These may only be stored under the special conditions of Section 15 Para.
1 TMG.
BGH: Consideration must be made before storing the dynamic IP address
Providers of online media services may collect and use a user’s personal data without their consent, even after the end of a usage process, if this is necessary to ensure the general functionality of the services.
It is necessary to weigh up the interests of the provider against the fundamental rights and freedoms of internet users.
However, the BGH was unable to conclusively weigh up the facts in the case in question.
The Court of Appeal had not made a sufficient determination as to whether the storage of dynamic IP addresses over the period of use was necessary to ensure the functionality of the services.
In particular, the BGH did not have any comprehensive information on the potential risk posed by online media services that would allow it to weigh this up.
BGH refers case back to the Berlin Regional Court
Accordingly, the parties’ appeal was successful and the BGH referred the case back to the court of appeal.
The aspects of general prevention and criminal prosecution must now also be renegotiated by the Berlin Regional Court.