IP addresses now fall under PII - please read

Discuss anything and everything that is NOT about WHIPS or WWIIOL in here...
Post Reply
bierbaer
Co-Founder
Posts: 2871
Joined: Saturday 21. November 2015, 23:47
Location: Germany
Contact:

IP addresses now fall under PII - please read

Post by bierbaer » Thursday 18. May 2017, 14:48

As of last Tuesday, 16.05.2017, the highest German court (Bundesgerichtshof - BGH) has ruled that dynamic IP addresses now fall under Personally Identifiable Information.
Auf der Grundlage des EuGH-Urteils ist das Tatbestandsmerkmal "personenbezogene Daten" des § 12 Abs. 1 und 2 TMG in Verbindung mit § 3 Abs. 1 BDSG richtlinienkonform auszulegen: Eine dynamische IP-Adresse, die von einem Anbieter von Online-Mediendiensten beim Zugriff einer Person auf eine Internetseite, die dieser Anbieter allgemein zugänglich macht, gespeichert wird, stellt für den Anbieter ein (geschütztes) personenbezogenes Datum dar.

Als personenbezogenes Datum darf die IP-Adresse nur unter den Voraussetzungen des § 15 Abs. 1 TMG gespeichert werden. Diese Vorschrift ist richtlinienkonform entsprechend Art. 7 Buchst. f der Richtlinie 95/46 EG – in der Auslegung durch den EuGH – dahin anzuwenden, dass ein Anbieter von Online-Mediendiensten personenbezogene Daten eines Nutzers dieser Dienste ohne dessen Einwilligung auch über das Ende eines Nutzungsvorgangs hinaus dann erheben und verwenden darf, soweit ihre Erhebung und ihre Verwendung erforderlich sind, um die generelle Funktionsfähigkeit der Dienste zu gewährleisten. Dabei bedarf es allerdings einer Abwägung mit dem Interesse und den Grundrechten und -freiheiten der Nutzer.
http://juris.bundesgerichtshof.de/cgi-b ... s=0&anz=74

§ 12 and § 15 paragraph 1 of Telemediengesetz apply
Telemediengesetz (TMG)
§ 12 Grundsätze
(1) Der Diensteanbieter darf personenbezogene Daten zur Bereitstellung von Telemedien nur erheben und verwenden, soweit dieses Gesetz oder eine andere Rechtsvorschrift, die sich ausdrücklich auf Telemedien bezieht, es erlaubt oder der Nutzer eingewilligt hat.
(2) Der Diensteanbieter darf für die Bereitstellung von Telemedien erhobene personenbezogene Daten für andere Zwecke nur verwenden, soweit dieses Gesetz oder eine andere Rechtsvorschrift, die sich ausdrücklich auf Telemedien bezieht, es erlaubt oder der Nutzer eingewilligt hat.
(3) Soweit nichts anderes bestimmt ist, sind die jeweils geltenden Vorschriften für den Schutz personenbezogener Daten anzuwenden, auch wenn die Daten nicht automatisiert verarbeitet werden.
https://www.gesetze-im-internet.de/tmg/__12.html
Telemediengesetz (TMG)
§ 15 Nutzungsdaten
(1) Der Diensteanbieter darf personenbezogene Daten eines Nutzers nur erheben und verwenden, soweit dies erforderlich ist, um die Inanspruchnahme von Telemedien zu ermöglichen und abzurechnen (Nutzungsdaten). Nutzungsdaten sind insbesondere

1. Merkmale zur Identifikation des Nutzers,
2. Angaben über Beginn und Ende sowie des Umfangs der jeweiligen Nutzung und
3. Angaben über die vom Nutzer in Anspruch genommenen Telemedien.
https://www.gesetze-im-internet.de/tmg/__15.html

I did not find a translation of the ruling nor a translation of the Telemediengesetz [and I'm not going to translate it].

Here's a summary though in English: https://www.whitecase.com/publications/ ... some-cases

Additional to that, the ruling as well describes the data usage after the user no longer obtains the web service. Once a user no longer obtains a service, the provider, in our case it is me with our website and forums, can only collect and manage PII if it is needed to mainain the service. Now that is almost impossible to argue. The defendant in the case above, Federal Public of Germany, wanted to store teh data for 3 months in order to defend against attacks and to identify attackers.

To follow up on that ruling, I assume that every registered user still wants to obtain the service I offer, regardless if the user did not login to the forums for an extended period of time. If a user wants to no longer obtain the service he will have to get in touch with me [admin@whips-bge.com]. I then will delete the user account and if necessary all the related posts / threads to that account. If data cannot be associated to a certain user anymore, we no longer talk about PII.

Last but not least, every user who's registering on our forums has to sign some kind of Terms of Services, which has not changed since the day I started these forums. Please see the highlighted part:
By accessing “WHIPS” (hereinafter “we”, “us”, “our”, “WHIPS”, “http://whips-bge.com/forums”), you agree to be legally bound by the following terms. If you do not agree to be legally bound by all of the following terms then please do not access and/or use “WHIPS”. We may change these at any time and we’ll do our utmost in informing you, though it would be prudent to review this regularly yourself as your continued usage of “WHIPS” after changes mean you agree to be legally bound by these terms as they are updated and/or amended.

Our forums are powered by phpBB (hereinafter “they”, “them”, “their”, “phpBB software”, “www.phpbb.com”, “phpBB Limited”, “phpBB Teams”) which is a bulletin board solution released under the “GNU General Public License v2” (hereinafter “GPL”) and can be downloaded from http://www.phpbb.com. The phpBB software only facilitates internet based discussions; phpBB Limited is not responsible for what we allow and/or disallow as permissible content and/or conduct. For further information about phpBB, please see: https://www.phpbb.com/.

You agree not to post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate any laws be it of your country, the country where “WHIPS” is hosted or International Law. Doing so may lead to you being immediately and permanently banned, with notification of your Internet Service Provider if deemed required by us. The IP address of all posts are recorded to aid in enforcing these conditions. You agree that “WHIPS” have the right to remove, edit, move or close any topic at any time should we see fit. As a user you agree to any information you have entered to being stored in a database. While this information will not be disclosed to any third party without your consent, neither “WHIPS” nor phpBB shall be held responsible for any hacking attempt that may lead to the data being compromised.
The user is already being advised, that IP addresses are being stored.

Furthermore, I am posting this here [OffTopic] because every member and non member of the the web services I offer has access to this area and can read it up at any given time.

If you object in storing any personal identifieable information belonging to you, please let me know and I will delete your account. Currently I do not see any other option as phpbb and WordPress core functions are basing on, for example, the IP address.

As required by German law, my Impressum page has been live since day one as well for further read up: http://whips-bge.com/impressum/

Please let me know if you have any questions!

A written read & understood is not required as this is public information and I expect everyone to read it. With this information I'm officially reminding all users that PII are being stored when using my web services. Whoever does not want to have his/her data stored please get in touch with me to delete the account [admin@whips-bge.com].

Thanks!

bb
Image

Braum
Posts: 67
Joined: Sunday 2. April 2017, 16:30

Re: IP addresses now fall under PII - please read

Post by Braum » Saturday 20. May 2017, 10:46

Ehhh..I could not imagine what will ever make this apply to anyone using this forum, as no illegal activities take place here. Further more who said I/others need to access this forum using my dynamic assigned IP...I could use a vpn, or a proxy. It does not matter :)
Image

bierbaer
Co-Founder
Posts: 2871
Joined: Saturday 21. November 2015, 23:47
Location: Germany
Contact:

Re: IP addresses now fall under PII - please read

Post by bierbaer » Saturday 20. May 2017, 14:38

It applies to everyone, regardless the activities in here. It is the basic protection of any user that his/her personal data is not being stored without his/her consent or some kind of law applies which is allowing storing the personal data without the user's consent. So that's why I addressed teh issue, as the consent is being given in the TOS when you sign up. I just had to clarify now, as it is part of the law, what happens when the user no longer obtains the service. So the user actively has to ask for removal for me to know that he is no longer obtaining the service.
It's just my attempt to protect myself from a potential lawsuit. Data protection is a big thing in Germany. We probably have the toughest data protection laws around the globe. Which is good for the user, tough for someone like me who just wants to host a squad website ;)

bb
Image

Post Reply