By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

Thumbnail image for Thumbnail image for Thumbnail image for Thumbnail image for iStock_Lock.jpgBy Gail Crawford and Amy Taylor

At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments.

A recent report by Chatham House in association with Detica indicates that many private organizations are well behind the government in how they evaluate and defend against these

As online services Groupon and Facebook have recently learned, cybersquatters are more than a mere nuisance.  Cybersquatting can disrupt or delay business expansion or operations, or compromise security and user experience. 

Groupon’s planned expansion to Australia was delayed for months because a clone site in Australia named Scoopon purchased the Groupon.com.au domain name, took the company name Groupon Pty Limited, and tried to register the Groupon trademark (filing for the trademark seven days before Groupon in Australia).  Groupon was forced