Website owners are free to store users' internet addresses to prevent cyber attacks, the European Union's top court said on Wednesday. Patrick Breyer has brought an action before the German courts seeking an injunction to prevent websites,run by the Federal German institutions that he consults, from registering and storing his internet protocol addresses.

Those institutions register and store the IP addresses of visitors to those sites, together with the date and time when a site was accessed, with the aim of preventing cybernetic attacks and to make it possible to bring criminal proceedings.

The Bundesgerichtshof (Federal Court of Justice, Germany) has made a reference to the European Court of Justice asking whether in that context 'dynamic' IP addresses also constitute personal data, in relation to the operator of the website, and thus benefit from the protection provided for such data.

A dynamic IP address is an IP address which is different each time there is a new connection to the internet. Unlike static IP addresses, dynamic IP addresses do not enable a link to be established, by means of files accessible to the public, between a specific computer and the physical connection to the network used by the internet service provider.

Therefore, only Breyer’s internet service provider has the additional information necessary to identify him.

Furthermore, the Bundesgerichtshof asks whether the operator of a website must, at least in principle, have the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website. It observes, in that regard, that most academic commentators in Germany interpret the relevant German legislation as meaning that those data must be deleted at the end of the consultation period unless they are required for billing purposes.

The Luxembourg-based Court of Justice of the European Union (ECJ) ruled on Wednesday that the prevention of cyber crime is a legitimate reason to store such data without users' consent.