I'm ignoring German opinions since Art 51-52 suggest only the ICO is going to be involved.
> if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
Using IP addresses for audit and security is best practices; I can use the IP address to make sure that a user isn't logging in from two countries at the same time (and then require a call e.g. to whitelist).
Thinking of an IP address in binary, as you're suggesting is extremely dangerous: The GDPR is not supposed to prevent you from thinking about what you're doing.
> That's reflected in their site (I gave you a specific example).
Your example doesn't come out and say IP Addresses are always personal data. Try again.
So, three things. First, the case reference I gave you. That "German opinion" is from the Court of Justice of the European Union. This is the highest court that applies, and the ICO must obey it (until Brexit - and even after then, it's highly unlikely that the UK will interpret the GDPR in a different manner, at least for some time).
Second, I've said before IP addresses might not always be personal data. But the issue is they sometimes are, and if you record them without discrimination then you're recording personal data. The old guidance says "An IP address is only likely to be personal data if relates to a PC or other device that has a single user" - ok, so are you able to not record IP addresses that do relate to a single-user device? No?
Third, the ICO do think IP addresses count. I've given you a GDPR reference already, even their DPA tool treats them as such:
It genuinely doesn't matter what the ICO might have said in the past. Right now, they say IP addresses are personal data. The courts say that. The law says that. I've given you multiple references for all of this.
a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
if you're not the Internet Service Provider, or more broadly, that you don't have "legal means which enable [you] to identify the data subject with additional data" then the ruling doesn't mean what you claim it says.
You're being intellectually dishonest by trying to tie irrelevant sources of information. That the high german court took a broader look than the European court is irrelevant.
> their DPA tool treats them as such
It says, as I've agreed, that an IP Address could be personal information. You've also agreed this position. The ICO does not consider IP addresses [by themselves] personal information.
> if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
Using IP addresses for audit and security is best practices; I can use the IP address to make sure that a user isn't logging in from two countries at the same time (and then require a call e.g. to whitelist).
Thinking of an IP address in binary, as you're suggesting is extremely dangerous: The GDPR is not supposed to prevent you from thinking about what you're doing.
> That's reflected in their site (I gave you a specific example).
Your example doesn't come out and say IP Addresses are always personal data. Try again.
They've previously said the opposite:
https://ico.org.uk/media/for-organisations/documents/1591/pe...