Website providers that collect dynamic Internet Protocol addresses (“IP address”) from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.
Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, “ECJ”) released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.
The Düsseldorfer Kreis, a committee made up of representatives of German data protection authorities, recently published guidance on the requirements for obtaining valid consent to the collection, processing and use of personal data under the relevant German data protection provisions, the Federal Data Protection Act (Bundesdatenschutzgesetz) (“BDSG”) and the Telemedia Act (Telemediengesetz).
The Düsseldorfer Kreis frequently publishes guidelines on topics of relevance for data privacy law which are broadly recognized as good practices (and from the supervisory authorities’ viewpoint, mandatory interpretations of the applicable law). The German data protection authorities found the topic of consent to be particularly relevant, noting that while it is common for companies to rely on obtaining consent from their customers to justify the processing of personal data, in many cases these companies fail to implement compliant data privacy consent language into their business processes. To ensure that such data processing can be performed in compliance with data privacy law, the procedure of obtaining valid consent should be the focus of any company active in processing personal data.