Comment by joshuamorton

6 years ago

This relies on the (unfounded) assumption that this pseudonymous ID is being used for tracking purposes and that Google is actively lying about it.

14 comments

joshuamorton

Reply
dessant  6 years ago

GDPR treats an IP address as personal data. The data is not transmitted through an anonymizing network, so Google has access to the user's IP address when they receive the data.

Anything that is associated with personal data also becomes personal information, therefore Google is transmitting personal data without user consent, which is illegal.

Asking for consent is not required under GDPR when the data collection is needed for a service to function. This is not the case here, Google services function without receiving that header, the data is used by Google to gain a technical advantage over other web services.

  • joshuamorton  6 years ago

    > GDPR treats an IP address as personal data.

    No it doesn't. GDPR only treats IP address as personal data if it is associated with actual identifying information (like name or address). Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.

    Edit: and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

    IOW, the theoretical capability to make changes to a system to use info in a non-GDPR compliant way doesn't make the information or system noncompliant. You actually have to do the noncompliant things.

    • dessant  6 years ago

      An IP address is itself personal data, it does not have to be associated with other personal data.

      https://ec.europa.eu/info/law/law-topic/data-protection/refo...

      > Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.

      See my comment about consent not being required when the data is needed to provide a service. Logging is reasonably required to provide a service.

      > and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

      The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.

      3 replies →

    • 0xfffafaCrash  6 years ago

      There has been an EU court ruling on this exact question of whether dynamic IP addresses count as personal data even in contexts where the website operator in question does not have the means to associate it with an individual but another party (such as an ISP) does. The Court of Justice of the European Union has ruled on this and it does count as personal data. [1]

      Furthermore, GDPR itself specifically refers to online identifiers in Article 4 as falling under the definition of personal data[2] and then clarifies in Recital 30[3] that IP addresses count as online identifiers in this context. There seems to be no legal ambiguity in the EU on this topic at this point, but I would be not surprised to see parties who are not GDPR compliant pretend otherwise indefinitely.

      [1] https://curia.europa.eu/jcms/upload/docs/application/pdf/201...

      [2] https://gdpr-info.eu/art-4-gdpr/

      [3] https://gdpr-info.eu/recitals/no-30/

      6 replies →