The Court of Justice of the European Union ruled that websites in the EU are free to store IP addresses if it can help them improve the security of their websites. The websites can do it even without user consent, which is normally required by EU Data Protection laws when website operators want to store data beyond the information necessary for billing.
Anonymous Web Surfing
Patrick Breyer from the German Pirate Party launched a lawsuit against the German government for storing IP addresses of visitors arguing that users have a right to surf the web anonymously. The Federal German institutions were storing IP addresses to prevent cybernetic attacks and make it possible to bring criminal proceedings.
The right to surf anonymously may still be in place if users themselves take measures for surfing anonymously, such as using Tor or a VPN. However, according to the CJEU, the government and other organizations can still legally register and store the IP addresses they see connecting to their sites, if they can use them to stop cyber attacks.
The issue at hand was also about whether storing dynamic IP addresses, which is what Breyer was using, represents an infringement on privacy. By definition, dynamic IP address change automatically, so it wouldn’t be possible to easily identify a person through the IP address unless the government also requests more information from the user’s ISP.
Ensuring Continued Site Functioning
The CJEU believes that website operators can register and process user data without consent as long as there is a legitimate interest in ensuring the continued functioning of the websites. However, that interest should go beyond a specific use of their publicly accessible websites. In this case, the IP address data can be used to prevent cyber attacks, which is something all websites may have to do to ensure their continued functioning.
The Court also said that the use of data should not override the fundamental rights of users (from the Charter of Fundamental Rights). In other words, websites shouldn’t collect data for purposes of, for instance, mass surveillance, which the Court has said before is non-proportional and indiscriminate, violating the fundamental right to privacy.
Good News For Facebook?
A Belgian court ruled earlier this year that Facebook can’t track non-users through cookies (which is a little different than tracking by IP); Facebook responded by positing that the tracking is necessary to protect Facebook users against cyber attacks, among other things. Facebook ended up winning that case because of a jurisdictional issue, but it may have to face the same case again at a later time, whether in Ireland, where its data gathering happens, or elsewhere.
However, it's not clear whether this ruling by the CJEU will help Facebook in the future, because Facebook uses the tracking for other objectives, such as advertising, too. Further, cookies can’t be sent without consent from users, according to the (in)famous “EU cookie law." Therefore, it remains to be seen whether this ruling will help companies expand their user tracking for advertising or other purposes in the EU, without requiring user consent.
