German Court Seeks Clarity on IP Address Privacy

 The GDPR, or General Data Protection Regulation, is a powerful data privacy law enacted by the European Union. According to its official website, it “is the toughest privacy and security law in the world” because of its strict regulation on data collection for individuals and businesses within the EU. Regulation implementation started in 2018, and non-compliance means hefty fines. Meta, Amazon, TikTok, and Uber have been fined millions for non-compliance with GDPR.

The GDPR is a far-reaching law that enforces strict rules on data collection. Unfortunately, there is confusion on some aspects of the law that have led to its abuse.

Dynamic IP Address Data Collection

PPC.land reported that the German court is seeking clarification on whether dynamic IP addresses are treated as protected data. IP addresses are protected data under GDPR, meaning they cannot be shared on websites without user consent. Without consent, the website could be fined for non-compliance with the privacy regulation.

IP addresses are generally considered protected under GDPR. However, cases requiring clarification on its use have emerged.

The German Court sought clarification on IP address protection based on a case filed in October 2022. The case was filed when an individual’s IP address was used to load website content without consent. The website uses Google Fonts based in the US, where the IP address was used to load the font. Websites that use Google Fonts must share their visitors’ IP addresses to load the free fonts online.

This was done without the visitor’s consent. It should be an open-and-shut case because it is a clear violation of using an IP address without consent. The individual demanded €170 from a website, which was actually paid.

But here’s the twist: the individual was actually running a web crawler to identify websites using Google Fonts. These identified websites are visited using software to trigger the infraction. The individual then sent warning letters to 100,000 websites, hoping to earn. The website that paid the fee counter-sued after learning of the illegal operation. The court required the individual to reimburse the payment.

Clarification on the Use of IP Addresses

IP addresses are personal data protected by GDPR. However, abuse of the law for financial gain should not be encouraged. The case was deliberated based on the individual action, not on how the IP address was used. Website owners may have violated GDPR by sharing the IP address with an entity outside the EU. But using a web crawler and software to visit these sites, to trigger a violation, is another case. The dynamic IP addresses shared also did not come with additional data. The website owner and Google do not have the capacity to locate the actual individual using the IP address shared.

This is where the clarification from the German court arises. An IP address should be treated as personal data by itself. However, additional prerequisites should be outlined before violations are triggered. It’s a highly technical legal challenge, but clarifying the issue should help improve GDPR implementation.