The Court of Justice of the European Union (CJEU) has ruled that the German government can collect and keep IP addresses of visitors to websites operated by German Federal institutions, in order to protect those sites against cyberattacks (e.g. denial-of-service attacks).
Alex Mathews, EMEA Technical Manager of Positive Technologies: “This is an old problem about "personal data" term. The EU law (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) gives rather a vague definition of what data is personal: “any information relating to an identified or identifiable individual”.
“Some people take this to the extreme, saying that any IP-address of any computer you use to browse the Web is your "personal info" even if you're an anonymous user working from a public library's computer. This strange definition would make a big problem for IT industry: all service providers would have to spend a lot of money to protect all the web-server logs and diagnostic info where IP addresses were used, “ he aays.
“The current solution of the Court of Justice of the European Union makes the situation clear: the dynamic IP address doesn’t enable a person to be directly identified, so IPs cannot be considered personal data of the user.