A bizarre data protection dispute in Berlin sheds a light on the necessity of incitements to anonymization. The lack of such incitements is one of the key deficits of the proposals for new European laws (Härting, „Data Protection Regulation in the European Parliament – Three Key Issues“, CRonline Blog v. 15.10.2013).
The Parties
The German VG Wort is the collecting society for authors. In order to collect royalties and distribute them to authors, VG Wort uses tracking pixels counting the number of times webpages containing authors‘ articles have been visited. Good for the authors who will receive a modest renumeration for articles published online.
Akademie.de is a website that offers authors the publication of articles online. On the website, authors are informed, in detail, how they are entitled to some extra cash from VG Wort when they upload articles („Infoseite VG-Wort-Ausschüttung: Zusätzliche Tantiemen für Texte bei Akademie.de“, akademie.de, Stand Juni 2012).
The Claim Confirmed by Berlin DPA
For reasons that only the company behind akademie.de will know, they are now arguing that VG Wort’s tracking pixels violate German data protection law. According to a press release published by akademie.de on Tuesday, the Berlin DPA agrees that the pixels do not comply with the law as the reader of an article is not entitled to opt out of being counted („Einbau von VG-Wort-Zählpixeln auf Webseiten verletzt geltendes Datenschutzrecht“, akademie.de Pressemitteilung v. 15.10.2013).
According to the press release by akademie.de, the pixels transmit IP adresses to VG Wort as well as the URL of the relevant akademie.de page. Moreover, cookies are used.
The Defence
As a matter of undisputed fact, VG Wort shortens the IP adresses on its server. VG Wort apparently argues that, due to the shortening of the adresses, IP adresses are anonymized and can, therefore, not be regarded as Personally Identifiable Information (PII). Moreover, VG Wort holds that, under German copyright law, they are obliged to collect royalties and, therefore, have to track and count.
The Crucial Issue
In Germany, the discussion whether and under what circumstances IP adresses are protected by data protection law has been going on for nearly a decade. As there are no clear court decisions on this question, the discussion remains open.
DPAs and other experts favouring a wide interpretation of what is PII will hold data protection law applicable whenever the mere theoretical possibility arises to identify the user. Under such a broad definition, even shortened IP adresses can be regarded as PII.
A Daunting Consequence for Anonymization …
This does, of course, raise the question why a provider should bother to anonymize at all. The arguments in the akademie.de case would be the same with or without anonymization.