Data protection

Retaining IP addresses for network security purposes… What does data protection law have to say?

ip addresses

It has already been announced by a few German-speaking commentators (here and here) that the Court of Justice of the European Union (CJEU) has been asked two very interesting questions by the German Federal Court of Justice (BGH) in its decision of 28 October 2014 [as mentioned in German here]:

  1. Whether dynamic IP addresses are personal data even if the service provider retaining the IP addresses do not have access to subscriber information
  2. Whether the securing of one’s network or system can justify the processing of personal data including IP addresses and in particular the retention of IP addresses once the user session is terminated.

Dominik Kirschner explains that the claimant was not happy with the Federal Republic of Germany (FRG)’s practice of retaining users’ access data including dynamic IP addresses even after the termination of the user session. The FRG had justified its practice by the will to ensure the security of its system.

Well, in a co-authored paper published yesterday, Evangelia Papadaki, Tim Chown and myself show that ensuring the security of one’s network is on the verge to become an almost official “legitimising” end… unless it is already considered to be a subcategory of traffic management. Indeed Recital 39 of the proposed General Data Protection Regulation states that:

“[t]he processing of data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by public authorities, Computer Emergency Response Teams, – CERTs, Computer Security Incident Response Teams, – CSIRTs, providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the concerned data controller”. Some examples are given and concern mainly the prevention of criminal activities: the foregoing could “include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems”.

Above all, we show that several players are retaining traffic data (also known as network-level metadata) for the purposes of ensuring the security of their networks or systems. And in some cases they even look at application-level metadata, i.e. within the payload of packets. [Peep Beep!]. [For an explanation of these terms see here where I have tried to clarify the concept of metadata]. There is thus a need to properly confine these practices as network security is a very broad legitimizing end [arguably too broad!].

To go back to the first question and whether dynamic IP addresses should be considered personal data even if the service provider retaining them cannot combine them with subscriber information, there is obviously the argument that one should not look only into the hands of the data controller at stake but beyond that, as recalled by Article 29 Working Party:

Though IP addresses in most cases are not directly identifiable by search engines, identification can be achieved by a third party. Internet access providers hold IP address data. Law enforcement and national security authorities can gain access to these data and in some Member States private parties have gained access also through civil litigation. Thus, in most cases – including cases with dynamic IP address allocation – the necessary data will be available to identify the user(s) of the IP address”.

[There is also an interesting answer given in 2013 by Mrs Reding on behalf of the Commission here, although I wonder to which extent it really clarifies the matter].

One should also remember that in the Scarlet v Sabam Case of 2011 the CJEU did not pay too much attention to these details in holding that IP addresses “are protected personal data because they allow those users to be precisely identified” [51], although it was certainly an easy case (the service provider at stake did retain subscriber information).

Finally, the recent decision (Ordonnance de référé) of the Tribunal de grande instance de Paris of 17 July 2014 17 is quite interesting in as much as, by qualifying IP addresses as personal data, the judge allowed the claimant to have access to the history of the logs to her bank account (including IP addresses) and thereby enabled her to show that the account had been fraudulently accessed. [In the past French judges have not always found that IP addresses are personal data though].

There might thus be an argument for adopting a broad definition of personal data, while making the duties imposed upon data controller vary in relation to their retention practices, their means to obtain directly identifiable information, and the very nature of the legitimising end they are pursuing.

Sophie Stalla-Bourdillon

Leave a Reply