https://gdpr-info.eu/art-4-gdpr/
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So yeah, a single IP in isolation might not trace back to a single individual - but with a timestamp and billing info it might track to a residence - with other data (eg: age, occupation) it certainly will trace back to an individual.
I'm surprised at the ico's interpretation / statement on this.
> > i don't think it's meant as a tool for "book burning"
> I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
Indeed, that wasn't mean as a direct reply to you, more as a general comment on the GDPR.
There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
> The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
True. I don't think that'll be enough to comply with the GDPR. Just as storing child pornography in bulk, isn't ok if you remove individual pictures on request.
On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP addresses in the hands of website operators could qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website
That's basically the same thing as the John Smith example: There's a threshold when you have personally identifying information, and whilst it can certainly include an IP address in some circumstances, there are enough other valid uses for the IP (fraud, VAT, etc) and enough uncertainty (NAT, multiuser computers, etc) that it by itself isn't PII.
> There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
Yes. I don't think it's clear what Internet forums are required to do.
so a flag to hide all the comments of a user who has chosen to be forgotten should be sufficient.
However, if a site wants to refuse the order, they may be successful if they can argue the comments are in the public interest, but if I were a company wanted to refuse a persons rights in this way, I would call the ICO to get clarity.
> I don't think that'll be enough to comply with the GDPR.
If someone contacts the data controller (e.g. pg) and asks to have their data removed (or flagged hidden or whatever), and Pg does it, why don't you think that would be compliant?
https://www.whitecase.com/publications/alert/court-confirms-...
They also seem to be at odds with the GDPR:
https://gdpr-info.eu/art-4-gdpr/ "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So yeah, a single IP in isolation might not trace back to a single individual - but with a timestamp and billing info it might track to a residence - with other data (eg: age, occupation) it certainly will trace back to an individual.
I'm surprised at the ico's interpretation / statement on this.
> > i don't think it's meant as a tool for "book burning"
> I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
Indeed, that wasn't mean as a direct reply to you, more as a general comment on the GDPR.
There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
See 3a)
https://gdpr-info.eu/art-17-gdpr/
> The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
True. I don't think that'll be enough to comply with the GDPR. Just as storing child pornography in bulk, isn't ok if you remove individual pictures on request.