The recent European Court case of Breyer v Germany provides welcome support for those who wish to protect the security of on-line services. The case concerned two questions – whether a website’s logfiles (typically containing time, client IP address, URL requested and result) constituted personal data and, if so, whether data protection law allowed the site operator to retain that personal data after the request had been completed.
The Court’s first conclusion – that logfiles indexed by IP address do constitute personal data – agrees with the view long expressed by the Article 29 Working Party, that service providers should treat IP addresses as personal data unless they know they are not. However the Court rejected two of the widest theories: that IP addresses are personal data merely because they allow an (unknown) individual’s activity to be collated, and that they are personal data merely because some third party can link them to the responsible individual. Instead the Court’s argument relied on the website operator’s ability to use a legal process (some equivalent of the UK’s Norwich Pharmacal order) to obtain the name of the user from their Internet Access Provider if required.
Having decided that logfiles were personal data the Court then concluded, nonetheless, that the website operator “may also have a legitimate interest in ensuring, in addition to the specific use of their publicly accessible websites, the continued functioning of those websites”, which could justify the continued retention of the files. Although the new General Data Protection Regulation (GDPR), to come into effect in May 2018, does recognise that “the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security” (Rec.49) is a legitimate interest of a wide range of parties, current EU law is silent on whether anyone other than a network operator may process personal data to protect the security of their systems and services, while current German law explicitly prohibits it.
Declaring that protecting services is a legitimate interest does not give unconditional permission to process personal data – organisations still need to ensure that their actions are necessary, proportionate and not overridden by the rights of individuals – but these conditions are very similar to the precautions that incident response teams already take to ensure their activities protect, rather than harming, security. The Breyer judgment therefore provides a welcome “back-dating” of the GDPR’s re-assurance to security and incident response teams.
