The European Union’s highest court decided on Wednesday (Oct. 19) to allow websites to store the Internet Protocol (IP) addresses on users in an effort to help prevent cyberattacks. The decision rejects a claim made by a privacy activist in Germany to stop the practice.
According to Reuters, it’s commonplace for website owners to routinely store IP addresses in order to provide tailored features, enable or disable content access or even to blacklist any addresses involved in a distributed denial of service (DDoS) cyberattack.
But Patrick Breyer, a member of Germany’s Pirate Party, was on a mission to put an end to the German government registering and storing his IP address while he visited its web pages. His argument is that citizens should have the right to anonymously browse the internet if they so choose.
While a German law prevents websites from holding onto users’ data indefinitely unless that data is being used for billing purposes, the new ruling by the Luxembourg-based Court of Justice of the European Union (ECJ) states that preventing cybercrime is also a legitimate reason for storing this type of data without user consent.
“Internet companies will still follow us around the web, collect information about our private interests and pass this information on,” Breyer told Reuters in response to the ruling. “Now the EU has to close this unacceptable loophole in data privacy laws as quickly as possible.”
Joerg Hladjk, a cybersecurity, privacy and data protection lawyer in Brussels, said the ECJ ruling expanded the “scenarios under which data can be retained without the user’s consent beyond what is allowed under German law.”