Europe’s top court has ruled that dynamic IP addresses can constitute “personal data,” just like static IP addresses, affording them some protection under EU law against being collected and stored by websites.
ArsTechnica UK adds:
But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is “to protect itself against cyberattacks.” The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses. Breyer’s fear is that doing so would allow the German authorities to build up a picture of his interests. Site operators argue that they need to store the data in order to prevent “cybernetic attacks and make it possible to bring criminal proceedings” against those responsible, the CJEU said.