The Death Of Psuedonymization?
A German government website collected and stored information in logfiles for security purposes (name of page/file, search terms, time of access, quantity of data transferred, success/failure, and IP address of the requesting computer). Information was ultimately stored so it later could be used to identify individuals for purposes of taking corrective or legal action. This action was challenged by a German citizen claiming the logfile information was ‘personal’ including any dynamic IP addresses.
The European Court of Justice ruled dynamic IP addresses in this case were personal, as they could be used to identify an individual when combined with ISP records – records that could be sought in a legal manner.
The court also ruled provisions limiting collection of IP addresses in the German Telemediengesetz (TMG) conflicted with the provisions of Article 7 of the directive (e.g., legitimate interest of the data controller). Identifying bad actors is a valid purpose for processing, and should be permitted under the TMG.
The case has been remanded to the Bundesgerichtshof (Federal Court of Justice) for a final ruling.
jbho: I think the main concerns here is that IP addresses could be considered ‘personal’ even when third party information would be needed to actually identify an individual. All that is necessary is that the supplemental information needed to identify an individual is legally available and reasonably attainable. This seems overbroad and may mean that Psuedonymous information could still be ‘personal’ for the purposes of the GDPR.
Fortunately, the court did leave open the possibility that dynamic IP addresses could be anonymous if it would be unlawful or would require disproportional effort to use them to identify an individual. We’ll likely have to wait for more cases to clarify the ‘reasonableness’ threshold.
On the bright side, the opinion confirms security and fraud prevention are ‘legitimate purposes’ for processing under the Directive.