← Back to context

Comment by dessant

6 years ago

GDPR treats an IP address as personal data. The data is not transmitted through an anonymizing network, so Google has access to the user's IP address when they receive the data.

Anything that is associated with personal data also becomes personal information, therefore Google is transmitting personal data without user consent, which is illegal.

Asking for consent is not required under GDPR when the data collection is needed for a service to function. This is not the case here, Google services function without receiving that header, the data is used by Google to gain a technical advantage over other web services.

12 comments

dessant

Reply
joshuamorton  6 years ago

> GDPR treats an IP address as personal data.

No it doesn't. GDPR only treats IP address as personal data if it is associated with actual identifying information (like name or address). Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.

Edit: and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

IOW, the theoretical capability to make changes to a system to use info in a non-GDPR compliant way doesn't make the information or system noncompliant. You actually have to do the noncompliant things.

  • dessant  6 years ago

    An IP address is itself personal data, it does not have to be associated with other personal data.

    https://ec.europa.eu/info/law/law-topic/data-protection/refo...

    > Collecting IP address alone, and not associating it with anything else, is completely fine (otherwise nginx and apache's default configs would violate GDPR), and through them basically every website would violate GDPR.

    See my comment about consent not being required when the data is needed to provide a service. Logging is reasonably required to provide a service.

    > and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

    The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.

    • joshuamorton  6 years ago

      See my edit. There's conflicting information on this. A dynamic IP, for example, isn't directly related to or relatable to a specific natural person without other context.

      But even if that's the case, if you don't tie the pseudonymous ID to the IP, it isn't personal data. As far as I can tell, the transfer rules you reference are about transferring data out of the EU, and can be summarized as "you can't transfer data to a non-EU country and then process it in a way that violates the GDPR". Article 46 notes that transferring data is fine as long as appropriate safeguards are in place[1], and article 47[2] defines what constitutes those safeguards (in general, contractually/legally binding agreements with appropriate enforcement policies).

      This goes back to what I said before: The theoretical capability to do noncompliant things doesn't make a system GDPR-noncompliant. You have to actually do noncompliant things to not comply.

      [1]: https://gdpr-info.eu/art-46-gdpr/

      [2]: https://gdpr-info.eu/art-47-gdpr/

    • thenewnewguy  6 years ago

      > > and furthermore, even if it did (I see conflicting reports), if you collect IP Address and another pseudonymous ID and don't join them, the ID isn't personal data.

      > The transmission of data is already covered by GDPR, you don't have to store the data to be bound by the law.

      This cannot be the actual correct interpretation of the GDPR, because under this logic _all_ IP packets on the public internet (made by/to EU citizens) are covered by the GDPR because you are transmitting data alongside an IP address.

  • 0xfffafaCrash  6 years ago

    There has been an EU court ruling on this exact question of whether dynamic IP addresses count as personal data even in contexts where the website operator in question does not have the means to associate it with an individual but another party (such as an ISP) does. The Court of Justice of the European Union has ruled on this and it does count as personal data. [1]

    Furthermore, GDPR itself specifically refers to online identifiers in Article 4 as falling under the definition of personal data[2] and then clarifies in Recital 30[3] that IP addresses count as online identifiers in this context. There seems to be no legal ambiguity in the EU on this topic at this point, but I would be not surprised to see parties who are not GDPR compliant pretend otherwise indefinitely.

    [1] https://curia.europa.eu/jcms/upload/docs/application/pdf/201...

    [2] https://gdpr-info.eu/art-4-gdpr/

    [3] https://gdpr-info.eu/recitals/no-30/

    • joshuamorton  6 years ago

      Interesting, TIL. That doesn't change the major point I was making though, which is that an anonymized identifier (such as the 13-bit ID under discussion) isn't personal info, even if it might have originally been collected along side data which is personal info. If I give you said 13 bit ID, you need other info to back out a single person, the anonymous ID corresponds to multiple IPs.

      5 replies →