Isn't this just PII with extra steps? OK it's at least better then the traditional approach. Keep in mind though that anonymizing is also a use of personal data in it self and requires a legal basis. https://www.insideprivacy.com/data-privacy/german-federal-co...
You seem to be confused about what PII is (which I think you meant from context). None of the listed informations are PII, nor do they become that in aggregation.
But if it was, it most likely would be enough anyway if the salt isn't stored anywhere. An irreversible hash of data is enough anonymization
You are right: PII. Sorry.
So PII are Informationen that enable someone to identify a person as a unique person. On the homepage is stated: "This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day."
Where the definition of personal data is:
"(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So if the listed information isn't PII (an IP address however is PII) then it would become PII if you can identify a unique visitor with it.
Am I wrong here? It sounds to me that this hash fits the definition of Art. 4
This is equivalent of replacing the IP address with a pseudonym that is rotated daily per each IP address.
Privacy improvements using crypto is somewhat marketing, but here the numbers show that they have a really good product, an impressive revenue model and a good marketing message so I think that's what we should look at.
Technically, at the end of the day, they store utm_source, they store the IP address (just in an encoded form with a salt + day added to it).
-> So yeah, you can be tracked, but in theory you will appear under a pseudonymised hash of your IP+UA.
My last info is that the ECJ ruled that IP addresses are PII. And as I quoted above it doesn't matter if information can be matched to a real name but it matters if you can single out one person e.g. a unique visitor.
you quoted something which i think you misunderstood.
the natural person is the link to a real name. it only becomes PII if its somehow possible to link a real name or similar to this identifier. If this is impossible, it will never be PII, even if it identifies a single individual.
This would be a massive misunderstanding on my part. I don't believe I did. For example: Recital 30 explicitly states IP addresses[0] and that they might be assigned to a person.
Art 4 states that a person can be directly identified or indirectly identified. My understanding is, that you don't need any direct information about a person if you can single them out with indirect information.
"However, a name is not always necessary. Had you not known Robert’s name, you could have still identified him through his proximity and some combination of physical factors, like height and hair color."[1]
I don't think I am wrong here. But I am willing to admit when I am wrong, where is my mistake?
Yes, a name is strictly speaking unnecessary, but you need to actually identify a real person uniquely in the real world.
its not PII as long as its impossible to link it back to a unique identification from the real world such as a name, social security number or similar.
so my previous blanket statement of IP addresses not being PII is slightly exaggerated, they can be, but they rarely are.
most people access the internet either with dynamic ip addresses or from a corporations internet providers.
people that have a static ip address on a private landline and without a NAT are rare, which is why generally speaking, IP addresses aren't PII.
it does become PII if the person in question has a static ip address and is the only person using this connection.
Would you say that your username is PII? I sure can't identify you in the real world, but I can identify you as a real person.
I would consider it PII even if I know nothing else about you other than that I am talking to the same person.
Ok so this is the point to where we differ. I read Art 4 as follows in this case: You are a natural person who can be indirectly identified by refering to an online identifier (your username). This identifier is therefore personal data.
HN also has your IP while and a mail address. So they have a much stronger link. Maybe they also have information about the sites you visited and the comments you made. If one would read all of this, maybe this someone would have a good profile about you and could identify you.
A natural person is a legal term so it's really not a matter of opinion... Believe it or not, usernames only become PII if the user choose to use their real name or another information which uniquely identifies them in real life
Ok I guess that we can't reach an understanding in this point. I don't think GDPR needs the real life link, you think it does.
I can understand your point and it was nice to entertain this conversation with you. I can't see how to convince you from my view and I don't see how you could convince me of yours. But I will keep you arguments in mind and will look for some more information regarding to it.
Thank you!
Yes! I used PII and Personal Data synonymous and didn't realise that PII is a subset of personal data.
I am glad you took the time to correct me. Man I feel stupid now...
`hash(daily_salt + website_domain + ip_address + user_agent)`"
Isn't this just PII with extra steps? OK it's at least better then the traditional approach. Keep in mind though that anonymizing is also a use of personal data in it self and requires a legal basis. https://www.insideprivacy.com/data-privacy/german-federal-co...