Websites free to store IP addresses to prevent cyber attacks: EU court

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. REUTERS/Mal Langsdon

BRUSSELS (Reuters) - Website owners are free to store users’ internet addresses to prevent cyber attacks, the European Union’s top court said on Wednesday, rejecting a claim from a German privacy activist who sought to stop the practice.

Patrick Breyer, a member of Germany’s Pirate Party, had sought to stop the German government registering and storing his Internet Protocol (IP) address when he visited its web pages, arguing that citizens should have a right to surf the web anonymously.

Website owners routinely store users’ IP addresses to provide customized features, enable or disable access to content or to blacklist IP addresses involved in “denial of service” attacks against a website.

German law prevents website owners from keeping users’ data indefinitely unless the data is required for billing purposes, but the Luxembourg-based Court of Justice of the European Union (ECJ) ruled on Wednesday that the prevention of cyber crime is a legitimate reason to store such data without users’ consent.

“Internet companies will still follow us around the web, collect information about our private interests and pass this information on,” Breyer said in response to the ruling. “Now the EU has to close this unacceptable loophole in data privacy laws as quickly as possible.”

Joerg Hladjk, leader of the Brussels cybersecurity, privacy and data protection practice at law firm Jones Day, said the ECJ ruling was an important decision that expanded the “scenarios under which data can be retained without the user’s consent beyond what is allowed under German law”.

Additional reporting by Peter Maushagen and Eric Auchard in Frankfurt; Editing by David Goodman