Introduction
IP-address stands for Internet Protocol Address and is a fundamental part of the protocol that serves as the basis for calling up web pages.
IP addresses are personal data.
Rulings by the ECJ and BGH clearly establish this
A personal data is an IP address. This was established by the ECJ in its judgment of 19 October 2016 – C-582/14, and subsequently also by the BGH in its judgment of 16 May 2017 – VI ZR 135/13. This applies even to dynamic IP addresses, i.e., network addresses that change for example daily.
Whenever a website is called up via a browser, the user's IP address, i.e. their network address, is transmitted to the called-up website. Since IP addresses are personal data, every call of a website is always a GDPR-relevant process.
Incidentally, IP addresses are potentially always personal for globally operating and everyday companies like Google, regardless of national laws. It also doesn't need the above ECJ ruling for arguing that IP addresses are personal for Google.
What is personal data?
This is commonly understood to mean all data that can be used to establish an identity. However, this data also includes data that is attached to a person, such as a preference for red roses.
While it's easy to imagine that a name, address, and phone number are associated with an identity, this is harder to grasp when it comes to IP addresses. Because the highest German court (BGH) has so decided, IP addresses are now personal. As soon as a user accesses a website, their IP address is transmitted to the server where the website is located. If tools from third-party providers are embedded on the website, the user's IP address is also transmitted to the third-party provider. Such tools can be videos, maps, or forms, for example.
Transfer to third parties by integrating services/tools/scripts/files
When a website X binds a service like for example Google Maps, the following always happens due to the aforementioned internet protocol:
- User with IP address 4711 accesses website
- The website X embeds Google Maps
- As a result, IP address 4711 is passed on to Google by website X
The operator of website X is responsible for ensuring that the user's personal data is transmitted to Google via the website.
Call chain
Typically, symbolic names are used for websites and services instead of IP addresses. For example, a variant of the script that needs to be bound to Google Analytics is google-analytics.com/analytics.js.
Using a name server (Domain Name Service, abbreviated: DNS) this name is resolved into an IP address. For each IP address, there is information in the form of databases with address ranges which country this IP address belongs to. These address ranges can theoretically change. In practice, they are especially stable for very frequently called IP addresses. The address databases are also regularly updated. A load distribution at large companies like Google ensures that not always the same IP address is used for a domain such as google.com. Within one week, I observed 72 * 256 IP addresses disappearing from the address ranges for the USA and some others were added. With more than one billion IP addresses assigned to the USA, 72 * 256 = 18,432 is an imperceptible order of magnitude.
Which IP address is currently active can be determined using the DOS command tracert, the tool CountryTraceRoute mentioned below, or by loading a website in the browser's developer console. Here is an example after calling a website, as it appears in the Firefox Browser's developer console (accessible with key F12):
The called-up website embeds a social media plugin from Twitter, as can be seen by looking at the file names. The domain pbs.twimg.com had an IP address of 23.1.106.237 (the postfix notation :443 denotes the port, which is irrelevant here).
Mostly, there is no direct connection between the caller of a website and the address of an embedded service like Google Analytics. This is analogous to train connections between two cities: For certain travel routes, one has to change trains (to another address) in transit. Unlike trains, call chains (routes) for IP addresses are often worldwide.
Country reference
With a freely available tool like CountryTraceRoute (free download over https://www.nirsoft.net/utils/country_traceroute.html), the call chain can be determined for any domain name. For each IP address visited, the country is displayed directly.
For the just mentioned IP address of the Twitter Plugin, one gets as output (parts anonymized):
When calling a file of the Twitter Plugin, Germany, Netherlands, USA, and United Kingdom are visited accordingly, most recently again the USA.
Here's another example for google-analytics.com (partially anonymized):
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
