What site you run and why you need to log my personal data(IP,browser,other identifying data) do you have good reasons to keep it forever or you purge it after you analyze it?
How can a SAAS defend chargeback claims without IP address? Stripe stores IP address and the proof that the user paid for the subscription using the same IP and created an account ties them together.
Have a timeout, that may be a valid reason to store it for the chargeback limitation (120 days IIRC) but definitely not a valid reason to store it forever, as the parent post was talking about.
The article we're in the comments for is about the GDPR - as defined in article 4 of the GDPR, IP addresses constitute personal data. In many cases, a specific IP address, even a dynamic one, can be used to uniquely identify a natural person.
Even though in many cases this won't help you identify a specific natural person (ie, you don't know whether whether you're dealing with a specific person or multiple people on a shared connection, and an IP address on its own usually isn't enough for you to de-anonymize a person), they're still a considered a personal identifier, are often coupled to a general physical location, and are now explicitly legally protected.
Couple an IP address with a browser user-agent, and you've got the basis for a strong unique fingerprint for a specific person.
Under GDPR guidance, IP addresses are considered personal data because they can be used to identify an individual in a moment in time. Personal data consists of things that identify individuals, but also things that can be used in conjunction with other information to identify individuals.
You might not like that, but the regulators are pretty clear on this point.
> Under GDPR guidance, IP addresses are considered personal data because they can be used to identify an individual in a moment in time.
That's actually the most frightening thing I've heard in a long time. Does the GDPR actually make that connection? If so, it literally links people to an IP address, rather than simply a connection.
If that line is accurate, I'm surprised it hasn't been mentioned before, associating an IP address to an specific person. I have to believe you are wrong, otherwise the legal implications are scary.
For those that don't understand: my concern is that in the US, for a long time, in copyright claims by the RIAA or MPAA, for example, was to go after someone because of an IP address, a common defense was basically: An IP Address is not a person. The above commenter made the claim that an IP address alone can be associate a specific person. So, I'm wondering if 1) that's accurate and 2) what are the ramifications of an IP address being a person in the world of law enforcement?
No, the GDPR does not actually link people to an IP address. The GDPR never even refers to an IP Address, and where it refers to an Internet address, it is clear it's referring to email addresses.
The ICO (furthermore) has given guidance that they don't think an IP address is uniquely identifying an individual, and have confirmed this to me on the phone.
Where you get into trouble is in transmitting your browser logs/activity to a third party who wants to keep them for their own purposes (e.g. Google). In this circumstance, you have to let people know that you've done this, and to transmit their preferences that you receive onward.
Yes, it explicitly mentions it, because it's actually very often true. Of course there are plenty of examples where it would be extremely difficult to link to an individual, but there are tonnes of examples where it's extremely easy. GDPR says that because it's sometimes easy, you have to consider it personal data.
Again, it's not always saying an IP address is a personal identify. It just is often enough.
> Again, it's not always saying an IP address is a personal identify. It just is often enough.
Well, that's not what you said or implied. I'm just thinking of all the cases in the US were the defense is you can't assume that an IP address ties to a specific person. Anyone could use the computer, or someone could attach to an open wifi.
Basically, if the legal argument is the IP address can be associated with a person, that raises legal concerns.
I said they can be used to identify an individual in a moment in time. That's correct.
Can it always identify an individual? No. Is the standard of identification good enough for a criminal case? Certainly not. But why are you comparing these? The GDPR is a standard about privacy and data protection; a UK postcode (like a zip code in the US) is considered personal data for exactly the same reason.
That's not true; I can only assume you're reading the 2011-era DPA guidance.
Under GDPR, an IP address must explicitly be considered as personal data, and any processing of them must be written in the documentation of the data processing activities:
The GDPR requires informing of use, transmitting preference, and protecting rights, of things that can potentially identify an individual, but this is easy to accommodate by simply not being an asshole. You're not under any requirement to actually identify an individual with your IP log.
"online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that [..] that data are necessary to facilitate and charge for the specific use of those services by that user"
This is related to the DPA; but the GDPR doesn't change anything here, only strengthens it (i.e. making IP addresses explicitly personal data).
So if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
I have not read any legal opinion that agrees with yours. I have also been to ICO events where they have stated they expect to treat it as personal data. That's reflected in their site (I gave you a specific example).
I understand that's not the outcome you're looking for.
I'm ignoring German opinions since Art 51-52 suggest only the ICO is going to be involved.
> if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
Using IP addresses for audit and security is best practices; I can use the IP address to make sure that a user isn't logging in from two countries at the same time (and then require a call e.g. to whitelist).
Thinking of an IP address in binary, as you're suggesting is extremely dangerous: The GDPR is not supposed to prevent you from thinking about what you're doing.
> That's reflected in their site (I gave you a specific example).
Your example doesn't come out and say IP Addresses are always personal data. Try again.
So, three things. First, the case reference I gave you. That "German opinion" is from the Court of Justice of the European Union. This is the highest court that applies, and the ICO must obey it (until Brexit - and even after then, it's highly unlikely that the UK will interpret the GDPR in a different manner, at least for some time).
Second, I've said before IP addresses might not always be personal data. But the issue is they sometimes are, and if you record them without discrimination then you're recording personal data. The old guidance says "An IP address is only likely to be personal data if relates to a PC or other device that has a single user" - ok, so are you able to not record IP addresses that do relate to a single-user device? No?
Third, the ICO do think IP addresses count. I've given you a GDPR reference already, even their DPA tool treats them as such:
It genuinely doesn't matter what the ICO might have said in the past. Right now, they say IP addresses are personal data. The courts say that. The law says that. I've given you multiple references for all of this.
a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
if you're not the Internet Service Provider, or more broadly, that you don't have "legal means which enable [you] to identify the data subject with additional data" then the ruling doesn't mean what you claim it says.
You're being intellectually dishonest by trying to tie irrelevant sources of information. That the high german court took a broader look than the European court is irrelevant.
> their DPA tool treats them as such
It says, as I've agreed, that an IP Address could be personal information. You've also agreed this position. The ICO does not consider IP addresses [by themselves] personal information.
That seems like a weak argument though. Two humans can also have same name and zipcode. They can also have same personal number and bank account number if they are in different countries. Without tracking and correlation, most information on its own is useless.
This reads like you are intentionally trying to misunderstand. GDPR has two categories of user information: direct identifiers and indirect identifiers.
Direct identifiers are pieces of data that allow to target a person, or a very small group of persons from a single data point. Indirect identifiers are anything that you could use to build a marketing cohort.
Combining a few indirect identifiers allows to target very specific groups of people. Or, using the very examples you quoted:
- The tuple (bank account number, country) is enough to target an individual.
- The tuple (full name, zip code) is enough to target a very small group of individuals. By adding just one more element you can identify individuals.[ß]
Each one of the four data points counts as user information under GDPR. Doesn't matter whether they are direct or indirect.
Disclosure: I wear the DPO hat at Smarkets. As a gambling company we are legally required to know quite a lot about our customers.
ß: For the nitpicking armchair lawyers: unless you happen to have a gated community for John Smiths.
> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data
An IP address is "personal data" in the same way that "lifestyle information" or a "location" is. That someone can combine an IP address with other information to personally identify someone is important, but it doesn't prevent me from logging personal data.
That's their position at the moment. GDPR makes it a bit more explicit: if you can combine the IP address with other information to identify a natural person it becomes personal data.
IP and browser fingerprinting is used to identify you around the internet, why would someone need to fingerprint me if it has good intentions. If you wnat some stats on who visits you like countries, what browsers and OSs they use , you can count them and discard the data after you would not need to keep it.
IP address alone on an anonymous web access log need not be. Start combining it with persistent cookies or a logged in user etc and it clearly becomes personal data as it is then enough to identify someone.
The clause in the regulation is quite clearly worded:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
IP and browser information are definitely PII, which is Personally Identifiable Information. Those are PII, because they can be used to personally identify an individual.
Correct. There is a similar concept, but it is not the same as PII in the US.
Recital 26:
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
Since the concepts mentioned in the comment, IP and browser information, are already being used to single people out for tracking, those particular types of information can definitely be viewed as the equivalent concept under GDPR, as defined in Recital 26.
