European Union

October 2016

The Death Of Psuedonymization?

A German government website collected and stored information in logfiles for security purposes (name of page/file, search terms, time of access, quantity of data transferred, success/failure, and IP address of the requesting computer). Information was ultimately stored so it later could be used to identify individuals for purposes of taking corrective or legal action. This action was challenged by a German citizen claiming the logfile information was ‘personal’ including any dynamic IP addresses.

The European Court of Justice ruled dynamic IP addresses in this case were personal, as they could be used to identify an individual when combined with ISP records – records that could be sought in a legal manner.

The court also ruled provisions limiting collection of IP addresses in the German Telemediengesetz (TMG) conflicted with the provisions of Article 7 of the directive (e.g., legitimate interest of the data controller). Identifying bad actors is a valid purpose for processing, and should be permitted under the TMG.

The case has been remanded to the Bundesgerichtshof (Federal Court of Justice) for a final ruling.
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d527eb6e180f364309ab38a668dd626351.e34KaxiLc3eQc40LaxqMbN4Pa3uTe0?text=&docid=184668&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1129916

jbho: I think the main concerns here is that IP addresses could be considered ‘personal’ even when third party information would be needed to actually identify an individual. All that is necessary is that the supplemental information needed to identify  an individual is legally available and reasonably attainable. This seems overbroad and may mean that Psuedonymous information could still be ‘personal’ for the purposes of the GDPR.

Fortunately, the court did leave open the possibility that dynamic IP addresses could be anonymous if it would be unlawful or would require disproportional effort to use them to identify an individual. We’ll likely have to wait for more cases to clarify the ‘reasonableness’ threshold.

On the bright side, the opinion confirms security and fraud prevention are ‘legitimate purposes’ for processing under the Directive.

 

More Fun

Back to features

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s