Cybersecurity takes priority over a person's data protection rights in some cases, the Federal Court has ruled. This specifically refers to the right to save IP addresses as defense against cyberattacks.
The Bundesgerichtshof Federal Court of Justice (BGH) made a ruling Tuesday in a case that dates back nearly a decade.
The BGH ruled that IP information of an internet user may be retained beyond the period the user visited a specific web site if retaining the IP information was necessary to defend and investigate cyberattacks. This is only permissible if the site is prone to cyberattacks. Further clarification is needed to determine which sites are considered to be at high risk of an attack.
The case was originally brought by Patrick Breyer, a politician from the Pirates party, who argued that an internet user's right to privacy and ownership of their own data should prevent IP addresses from being saved longer than the duration of a user's visit to a site.
"I am glad that the court is questioning the need for unfounded and across-the-board logging of our surfing behavior," Breyer said in a statement following the verdict.
What constitutes a risk?
Breyer also wondered why the previous findings "were not adequate for a definitive ruling," referring to the fact that the question of what constitutes a site at risk of a cyberattack was left open. The federal court left this decision to be made by the district court in Berlin.
The case has been passed from one court to another as clarification is sought. Most recently, German authorities referred the matter to the Court of Justice of the European Union to clarify if saving IP information was compliant with European law.
EU Court ruling
The EU court determined it was compliant, in the interest of preparing for hacker attacks. An IP address is a series of numbers unique to each internet user. Normally, without additional information from an internet service provider, an IP address cannot identify a specific person.
In the event of a hacker attack, if a possible link was discovered between the attack and the IP address of a user who had recently visited a site (and had the IP address saved), a website operator could take legal steps to force the internet service provider to provide the needed details to identify the person.