The storage of IP addresses represents a serious encroachment on the fundamental rights of users. Internet users may always expect that the protection of their identity is preserved and, as a matter of principle, not revealed.
For companies, this decision means that storing the full IP address in server logs is illegal. A legitimate interest in storing this data can no longer be assumed after this ruling.
General data retention has been a controversial topic in Europe for years. The European Court of Justice (ECJ) confirmed the previous case law on data retention in its ruling of April 5, 2022 (Case C-140/20).
In the course of the preliminary ruling, the Irish Supreme Court asked the ECJ to interpret the Cookie Directive. The Irish ruling concerns the practices used in the case of Graham Dwyer, who was convicted of murder, to query the suspect’s mobile data collected as part of the data retention process.
Traffic and location data may be retained generally and indiscriminately to ensure national security, especially with regard to terrorist activities. Traffic data is all information that is stored when a telecommunications service is used, such as the duration, time or data volume of a message.
Not allowed are national laws that provide for general and indiscriminate retention of traffic and location data for the purpose of combating serious crime and preventing serious threats to public security.
IP addresses assigned to the source of a connection may be stored in a general and indiscriminate manner for a period limited to what is absolutely necessary. The general storage of IP addresses represents a serious encroachment on fundamental rights. According to Art. 8 of the Charter, Internet users are entitled to expect that the protection of their personal data is guaranteed and that their identity is not disclosed as a matter of principle. However, the IP address is often the only clue in the case of a crime committed on the Internet that makes it possible to determine the identity of the person, especially in relation to child pornography. Therefore, the general and indiscriminate retention of IP addresses is allowed only if it is made conditional on strict compliance with the substantive and procedural requirements.
General retention of data concerning the identity of users of electronic communications is also permitted.
Providers of electronic communication services may be required, by means of a decision of the competent authority subject to effective judicial review, to immediately back up traffic and location data for a specified period of time (quick freeze).
What this means for the admissibility of evidence relied upon in the criminal proceedings against Graham Dwyer is for the Irish Court to decide, as this remains a matter of Irish law, in accordance with the principle of procedural autonomy of Member States.