CJEU case: Patrick Breyer MEP draws a red line against storage of citizens’ IP addresses

On 15 and 16 May the judges of the Court of Justice of the European Union heard the French government, several French NGOs, the European Data Protection Supervisor and the European Union Agency for Cybersecurity in a case whose outcome will significantly strengthen or weaken, respectively the privacy of more than 447 million EU citizen’s activities on the Internet. (See case C‑470/21)

The French NGO La Quadrature du Net (LQDN) and three other complainants challenge France’s use of citizens’ Internet identity to enforce copyright. The NGOs argue that using indiscriminately retained IP addresses to prosecute filesharing is disproportionate since it does not concern serious crimes and also there is no independent control prior to the access. In consequence, the competent authority Arcom (formerly Hadopi), maintains a surveillance file containing large amounts of IP addresses and civil identity data of citizens in order to warn and eventually punish Internet users who share copyrighted works without authorisation.

In his non-binding opinion, Advocate General (AG) Szpunar of the Court of Justice of the European Union proposes a “readjustment of the case-law of the Court on the interpretation of Article 15(1) of Directive 2002/58 as regards measures for the Luxembourg assigned to the source of a connection” in the form of jurisdiction “providing for the general and indiscriminate retention of IP addresses (…) for the purposes of [fighting] online criminal offences for which the IP address is the only means of investigation.”

Red Line: EU citizens have a right to confidential internet communication

A general and indiscriminate retention of IP addresses assigned to the source of a connection has unacceptable consequences.

IP addresses are access to identity

The IP records of citizens in combination with standard logfiles kept by content providers must be compared with a compulsory routing slip that keeps track of the activities of each citizen. In the analogue world, such activity retention would be unacceptable: It would be retained which newspaper articles citizens read in the morning, which doctor is contacted during the lunch break and who meets whom in the evening. Such a recording of activities would be unimaginable in analogue form in a democracy. In digital form, all this data is available, distributed across networked databases and devices. The IP addresses of citizens are the link that makes them accessible and traceable, IP addresses are access to identity.

The end of anonymity on the Internet

General and indiscriminate retention of IP addresses would constitute the end of the possibility for citizens to anonymously and confidentially request information on the internet, to seek medical advice or to contact journalists anonymously. Particularly affected would be people who seek advice and help in an emergency situation (e.g. victims and perpetrators of violent or sexual offences), citizens who want to express their opinion despite public pressure or citizens who want to expose abuses and who want to contact journalists or file a criminal complaint anonymously.

Retention of IP addresses affects e-mail correspondence

The IP address of the sender is included in most e-mails, so that e-mail accounts registered under a pseudonym could also be assigned in the future. Confidential e-mail communication must be better protected because it is one of the most widespread communication channels through which people exchange information, seek psychological or other medical advice, or contact the police, media or lawyers.

General suspicion against millions of citizens

General and indiscriminate retention of IP addresses violates the presumption of innocence. Already the storage of the data is an intrusion into the privacy of the internet users. Obligations to retain IP addresses are disproportionate because they overwhelmingly affect law-abiding citizens.

Personality and movement profiles

General and undifferentiated retention of citizens’ identity on the internet would enable the creation of meaningful personality and movement profiles of virtually every citizen to an even greater extent than telephone connection data because online activities cover the entire life of citizens. From the sum of the information of what citizens read and write on the Internet, a profile can be created, which can reveal, for example, political opinion, religion, illnesses or sex life. In addition to this, the IP address can also be used to determine the approximate location of the user. Due to the data accumulated and stored by many devices even in “stand-by mode”, extensive movement profiles, behavior patterns and user behavior can be created.

IPv6 addresses can be unique and persistent tracking identifiers

The new standard for IP addresses IPv6 makes it possible to assign an individual identification, a permanently identical IP address, to almost any number of everyday objects in our lives. Watches, refrigerators, toys, cars, work tools, smart home devices, simple telephones as well as smartphones, MP3 players and almost every other small technical device can be connected with the internet in the future. This the so-called “Internet of things” would be covered by general and undifferentiated retention in its entirety. According to a recent study, 19% of households can already be tracked permanently using the end-user ID in their IPv6 address.

Amplification of infringement of fundamental rights through combination of data

IP records must be considered in combination with other information (“log files”) stored by providers such as Google, Amazon, Meta or Microsoft. A general storage of IP addresses would make the entire internet use traceable. Potentially that includes every Internet user’s inputs, clicks, internet pages read, search terms, downloads and every posts on the Internet. Once a pseudonym (e.g. user account, cookie) has been identified via the user’s IP address, usage data from the provider often enables the tracking of every click and entry made by the owner over days, weeks or months.

Discrimination against internet users

General and undifferentiated retention of our identity on the internet would be an unjustifiable and anti-technology discrimination against internet users compared to people who can continue to communicate and obtain information anonymously by telephone (e.g. flat rate), post or directly. The fact that the IP address can be the only clue to solving a crime does not distinguish it from other connection data. It is not comprehensible why the identifiability of a subscriber on the basis of an IP address should be established under lower conditions than its identifiability with the help of other traffic data (e.g. IMEI identifier, time of a telephone connection).

EU jurisdiction is not respected

For more than 15 years, EU member state governments are reluctant to comply with the Court’s jurisdiction when it comes to data retention. Repeatably governments have ignored safeguards and requirements imposed by the Court. Recently governments of Belgium, Denmark and Ireland take every opportunity to enforce the maximum possible surveillance instead of investing in police work and social work as experts explain. Any weakening of fundamental digital rights will be further overstretched by governments. Which in sum leads to unnecessary and disproportionate surveillance of EU citizens and adds to the crisis of the Rule of Law in the EU.

Citizens’ IP addresses should be better protected

When it comes to citizens’ internet activities, the sensitivity of IP data records must be considered comprehensively and in the long term. What is crucial is the usability of the accumulated collected data and the possibilities of using citizens’ IP data. Therefore, IP data should be better protected and retained only in cases where there is a concrete reason to do so. For example in cases of suspicion, the identity of the user of an IP address may only be disclosed with a court order, only for the prosecution of serious crimes or for the prevention of serious dangers. Legally, the presumption of innocence must be upheld. Politically, only fundamental-rights-friendly alternatives to any kind of general and indiscriminate data retention will respect the values of the EU.