
Court confirms that IP addresses are personal data only in some cases (2016) - ptype
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
======
ptype
I have submitted this because it is frequent to see on HN claims that IP
addresses are personal data under GDPR. I’m yet to see a good source for this
blanket statement, and this link contains a more nuanced analysis, essentially
saying that IP addresses are only personal data in some cases, where they can
be used to identify a person (without involvement of the ISP).

~~~
lurker456
GDPR is more recent and supersedes this.

~~~
killjoywashere
I'm fairly certain the US legal system, when interpreting domestic cases (the
purview of HIPAA) doesn't care about the GDPR. If a case crossed international
boundaries, sure, but to say GDPR supersedes HIPAA is false. They apply to
different jurisdictions, which are mostly, if not entirely, separate.

~~~
lurker456
Agreed, the US is more lax. I was responding to the parent comment "I have
submitted this because it is frequent to see on HN claims that IP addresses
are personal data under GDPR"

------
Lazare
The coverage of GDPR I've seen (and in my view, the regulation itself) has
been pretty clear that data becomes covered "personal data" only to the extent
that the data, in aggregate, can be used to identify a real person.

So an IP address _on its own_ is almost never personal data, because of wifi,
NAT, dynamic IPs, shared devices, etc. Then again, a _name_ is almost never
personal data on its own either, "John Smith" could refer to any one hundreds
of thousands or people or it could be a pseudonym and refer to literally
billions of people.

But if someone registers on your site, and you log the IP address _and_ their
name, you're a lot closer to persona data. Add a timestamp, and you probably
can identify a real person.

So if you're trying to be careful about GDPR, you should probably be careful
about storing IP addresses (or IP addresses that can be linked to other bits
of potentially personal data). The focus of GDPR compliance can't be on "oh
this field is fine, but this field is personal data", it should be on what
you're collecting in aggregate. That makes IP addresses dangerous, because
they provide a lot of information that could be used to identify someone.

~~~
apple4ever
But as the article points out, adding a time stamp only will matter if you
have access to other data to map it to a real person.

So based on my reading, IPs and time stamps are not PII unless you are an ISP
or you link them to other PII (so still the IP and time stamps are really
irrelevant because they depend on that other PII).

~~~
shabble
You're unlikely to be storing _only_ (IP, timestamp) data though. Presumably
there's some additional info attached to those records that makes it useful
for something.

A web access-log records (ts, ip, request, ...), or maybe your application log
stores (ts, ip, action, params, ...)

So the information from that single source is "at time T, IP accessed
RESOURCE".

It's possible that's personally identifiable in context (if you have
additional controls that RESOURCE can only be accessed by exactly 1 real
person, etc)

But say it's not. All you know is: Opaque PERSON accessed RESOURCE.

if you can obtain the identifying information from elsewhere (buy, steal, etc)
from ISP or whatever, you now know that (T, IP) = NAMEDPERSON.

A simple lookup/matching means you know that NAMEDPERSON accessed RESOURCE.
That's the new personal data.

The IP isn't irrelevant, because without it, you'd have no lookup key to
determine the mapping from PERSON? to NAMEDPERSON.

~~~
apple4ever
Right there may be more information, but none of that is personally
identifiable without additional information- information that cannot be
obtained legally or easily. So the IP is irrelevant.

------
Eridrus
This is an odd ruling to me.

If an ISP is willing to sell that data, are IP addresses now PII for everyone?

If one part of a company has such a DB, does it apply to every part of the
company? What if it's multiple companies owned by a conglomerate?

If you include an image (or a font!) from somewhere else in a web page, you
are causing the user's IP address to be sent to the hosting party, are you
liable for sending PII if the target can link IPs to names, because they (e.g.
Google) have a DB?

~~~
geofft
> _If you include an image (or a font!) from somewhere else in a web page, you
> are causing the user 's IP address to be sent to the hosting party, are you
> liable for sending PII if the target can link IPs to names, because they
> (e.g. Google) have a DB?_

As an end user, I want this—if you wouldn't send my IP address to these people
otherwise, wanting to show me an image or a font is not a good reason to send
it.

As a web developer, I am happy to have excuses to tell my teammates that we
need to rehost every asset we depend upon. It's the right thing to do for so
many other reasons.

I know this makes things hard for people who have webfonts that don't allow
rehosting them etc. Being able to say "We can't use this font because of GDPR
unless you change your policies" sounds pretty great honestly.

~~~
StudentStuff
Hosting every dependency should be the norm, that some sites pull in multiple
megs of dependencies from random third parties is just asking for trouble long
term.

On the topic of proprietary fonts, why do some websites seem to think using a
questionably legible, licensed font is a good idea? It isn't adding value for
the end user.

------
jlgaddis
The main takeaway (IMO) from this article is right here:

> _However, businesses should note that if they have sufficient information to
> link an IP address to a particular individual (e.g., through login details,
> cookies, or any other information or technology) then that IP address is
> personal data, and is subject to the full protections of EU data protection
> law._

~~~
clarry
Can we interpret _have_ as _can obtain_?

Do a geolookup, you have my approximate location.

Do a Google search for my IP address and you'll have my name.

~~~
threeseed
> Do a Google search for my IP address and you'll have my name.

How does that happen exactly ?

~~~
dylz
Business class internet at home often will reassign it to your full name and
address, for example.

