For how long may the IP address be stored "on reserve" or must it be deleted immediately? In the dispute between a customer and Deutsche Telekom AG, which began in 2007, the Federal Court of Justice has once again taken a stand, now also on the points of a reported pseudonymization and the illegality of data retention.

The owner of the DSL connection demanded that Deutsche Telekom AG delete the IP address immediately. In the earlier proceedings, it had already been decided that the Group was not allowed to store the IP address for 80 days as initially, but for 7 days.

In the renewed appeal, the BGH dealt with the question of whether pseudonymization was appropriate. In addition, the BGH was faced with the Judgment of the Court of Justice of the European Union (CJEU) of April 8, 2014 - Case C-293/12which declared the European Data Retention Directive invalid.

The court's decision

The pseudonymization requested by the user was rejected by the BGH in its judgment of July 3, 2014 - Ref. III ZR 391/13 from.

With pseudonymization, the customer ID is not linked to the IP address used, but to another anonymous character string. The character string is assigned to a specific user by an external service provider.

However, the BGH ruled that the IP address alone is also anonymous. It was only possible to draw conclusions about a specific user by linking it to the other data of the user's specific session. The added value in terms of data protection was therefore only achieved by the fact that the pseudonymization had to be reversed by an external neutral body. However, reversing the pseudonymization for each individual case of misuse would be an unjustifiable additional expense in view of the large number of cases of misuse per month. According to the evidence taken in the appeal proceedings, 500,000 cases of abuse would have to be tracked every month.

The BGH also saw no reason to revise the retention period of 7 days in the ECJ's ruling on the invalidity of the Data Retention Directive. The BGH argued that, quite apart from the fact that the directive contains a much longer retention period of 6 months (at least), the ECJ's considerations were not applicable. In the present case, the storage was carried out in the interest of the network operator and not for access by the police and public prosecutor's office.

Conclusion

Even if there is no recognizable reason, the IP address of the user may be stored by their telecommunications provider for 7 days according to the case law of the BGH. This is justified by the need to prevent disruption to the communications infrastructure.