The CJEU has ruled that the operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyber attacks.

In the case of Patrick Breyer v Bundesrepublik Deutschland (Case – C582/14), Mr Breyer had brought an action before the German courts to prevent websites, run by Federal German institutions, from registering and storing his IP addresses. The institutions register and store the IP addresses of visitors to their sites, together with the date and time when a site was accessed, with the aim of preventing cyber attacks and to make it possible to bring criminal proceedings.

The main question before the CJEU was whether dynamic IP addresses constitute “personal data” for data protection purposes. The court found that a dynamic IP address would constitute personal data where the website operator had the legal means of identifying the relevant individual with the help of additional information from the internet service provider. The court further found that, in the case, the German institutions had a legitimate interest in processing such personal data for the purpose of preventing cyber attacks.

Further details of the case can be found here.

Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378
Duc Tran
Duc Tran
Senior Associate, Digital TMT and Sourcing, London
+44 20 7466 2954