Slashdot Mirror
Your Dynamic IP Address Is Now Protected Personal Data Under EU Law (arstechnica.co.uk)
Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites. ArsTechnica UK adds: But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is "to protect itself against cyberattacks." The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses. Breyer's fear is that doing so would allow the German authorities to build up a picture of his interests. Site operators argue that they need to store the data in order to prevent "cybernetic attacks and make it possible to bring criminal proceedings" against those responsible, the CJEU said.
It is 'reasonable' that your IP address is considered personal information 'offered' to the web sites in question.
What this law 'should' mean (I can't speak for the wording specifically) is that a site's owner should treat a user's data as privileged, meaning it isn't handed out to others without reasonable justification. Law enforcement should still be able to subpoena these records as they probably have been able to in the past. My hope is that the law makes it harder for 'non-subpoena' requests for a given user's IP address harder to obtain since it would now be a privacy violation to disclose it.
That's all fine, but as the blow-back illustrates, just because an IP address makes a physical connection with a service you're hosting, it doesn't mean that said service is in any way being transmitted by the person in question. DOS attacks happen all over the place, and unless you have services which share information about these attack vectors, its significantly harder to track and get take-downs of the offenders (maybe I'm being too optimistic..).
Maybe the best trade-off is when an IP address is logically tied to further information from the site (site profile, name, email, etc..). If so, the information is considered 'personal information' while a random drive-by DOS is just considered infrastructure data.
Bye!
I'm the only one living in my house and I have a static IP address. Both my physical address and my IP address do identify me. You cannot know just by looking at them whether they identify a person, and that by itself should already be reason enough to treat them as potential personal data. That said, you're being inconsistent. Date of birth does not identify a person. Date of birth in combination with other facts may. Party affiliation does not identify a person. Party affiliation in combination with other facts may. A physical address does not necessarily identify a person. That same address in combination with other facts may. An IP address does not necessarily identify a person. That same address in combination with other facts may.
Sorry, you can't store it, it's personal protected data!