The Pirate Party had argued that the law allowed the government to profile its web visitors. The decision may be considered a double standard; Germany tends to advocate stricter data protection laws by western standards.
For all its tough talk on online privacy and data protection, the German government will continue to store data on people visiting its own websites.
The European Court of Justice (ECJ), Europe's highest court, ruled on Wednesday that storing dynamic internet-protocol (IP) addresses was necessary for the German government to counter potential hacking threats against its websites.
The case was brought to the ECJ by the Pirate Party's leader for Schleswig-Holstein, Patrick Breyer. According to Breyer, a lawyer by profession, the current law allows the state to profile users on their websites. For example, someone reading up about illegal drugs on the health ministry's website risks could be identified and potentially investigated or prosecuted, he argued.
Breyer spoke out against the Luxembourg-based court's verdict, saying: "With this ruling, internet service providers (ISPs) will continue to follow our activity step-by-step, as well as gather and sell on information about our private interests."
Dynamic addresses should be protected like static ones
However, the court also found that these dynamic IP addresses could be used to identify individuals and must therefore be especially protected from misuse.
IP addresses are a means of identification when computers connect to the internet. There are two types, known as static and dynamic IP addresses. Static IPs never change and are protected under German data law because they can easily be used to trace an individual. Dynamic IPs change frequently, meaning that from the outside users are effectively anonymous. However, they can still be used to trace someone with the help of an ISP, which logs which dynamic IP address came from which computer at any given time.
In the event of a rights violation, ISPs are obliged to hand their logs over to law enforcement authorities, granting them access to a user's personal information.
The ECJ ruled that the interests of website owners must be balanced against the users' privacy. This, it ruled, was not currently the case in Germany. The court said that Germany's Telemedia Act was limited in that it failed to stipulate how long personal data, such as IP addresses, can legally be stored.
Following the ruling, Germany's data protection commissioner Andrea Vosshoff said that the Telemedia Act would react to the European court's ruling, allowing dynamic IPs to be stored for no longer than seven days. She also welcomed the ECJ's decision to protect the government's security interests, saying: "The latest ruling allows data to be stored... for a period of time that absolutely allows us to fulfill our tasks."
The Federal Office for Information Security (BSI) also said it welcomed the court's decision to acknowledge the "security interests" at play. BSI President Arne Schönbohm said: "The storage of IP addresses is necessary for the federal government to guarantee the security and the maintenance of its telecommunications networks."
Germany's top civil and criminal court, the Bundesgerichtshof, has approached the ECJ to oversee the adoption of the respective EU privacy laws into its own Telemedia Act.
However, the German government's approach to storing of visitors' dynamic IP addresses prior to Wednesday's ruling may come across as something of a double standard. Officials have often spoken out against the likes of Facebook and Google for collecting and storing data from German users. Similarly, the European Union has routinely forced the US web giants to change their policies for breaching its strict data protection laws.
It now remains up to the European Commission to rule on how ISPs log their client's user information.
dm/msh (AFP, Reuters)