Indeed. Dating sites have a legitimate (and I'd say moral) need to protect their customers from all kinds of nasty business. If the only way to do that is through the use of PII, and that use is well-documented in the privacy statement, and the data is not being used for unrelated purposes, this should be well within the bounds of GDPR.
In the past three and a half years I have witnessed four cases in which this exact method (cross-linking remote IP addresses to detect spammers/attackers/bots/etc.) has been an issue with GDPR, but I am sure those downvotes and the general tech-centered HN'y wave-off as misinformation have a better standing in EU courts these days since the fear-mongering GDPR hype is mostly over as it seems.
People can claim it all day long but it was determined that IP addresses are only PII in the hands of an entity who can actually associate it with a person, like an ISP.
Yes, you are right. No way for a dating site for example (as stated by the original comment) to make a relation between an IP address and the person behind it. It's all fake profiles or some other strawman argument anyway, right? Like who uses his real name, address or even picture for something like that?! That'd be just ridiculous ...
It sounds like that's what they're doing, in order to find other spam accounts:
> We'll manually review all accounts that use (more than one of) those ip addresses.
Obviously only vanviegen knows what they're doing, but here is what I'd do (IANAL!):
1. Identify offender (scammer/spammer) using other methods like manual review
2. Block offender as described, and only now start logging the IPs for them (claim: at that point it's legitimate interest)
3. If another user now uses one of the IPs, assume their also offenders and log their IPs as well to weed out false positives (claim: they use the known offender IPs, so there is a good chance their also offenders -> leg. int.)
4. Ban all actual offenders and delete associated IPs for false positives.
It's possible they're doing this flow and just simplified it for posting here.
Saving the IP/geolocation could also be legitimate interest to identify altered locations. E.g. say you're US based and suddenly login from $abroad they could send you a 2FA mail to secure your account.
Even with all that, the IP address itself still doesn't represent a person in the hands of that dating site.
An ISP can identify which IP address has been assigned to your phone, at what time, on what tower and exactly what points in time that IP addressed changed. It can also associate the device itself with the IP address.
An IP address on a cable modem can be associated with a particular account for a house or a business office, but even it can't positively identify the person in the house or at the business who was using it to connect to a particular website.
And yes, as you said, anybody can create a fake profile. A coworker could create a fake profile on a dating site of you if they wanted to and that IP address still doesn't positively identify you.
The name, address, photo...all of that is absolutely PII and covered by GDPR.
The IP address isn't and is also used for legitimate security purposes. People trying to get them scrubbed under GDPR are overreaching on a piece of data they have no right to have scrubbed.
