It is neigh impossible to send truly anonymous data as telemetry. As soon as you're using the internet, you're disclosing an IP address, which is PII. If you add anything to link two subsequent telemetry reports together, that thing is PII (e.g. a hash or a uuid). If the telemetry report is detailed enough that they become somewhat unique, it's PII.
That said, consent is not the only grounds on which you can process PII. Contract, legal obligation, vital interests, public task, or legitimate interests are also valid grounds. Of these, legitimate interests is the most applicable in this situation.
> As soon as you're using the internet, you're disclosing an IP address, which is PII
Yes it's PII which of course is why no one who does Telemetry in a GDPR compliant way would store the IP address. The fact that it's "sent" (in order to send anything at all over http) isn't relevant. Only what's stored, for what reason, and for how long.
> If you add anything to link two subsequent telemetry reports together, that thing is PII (e.g. a hash or a uuid)
Again, no. PII is only information about physical people. Unless the data becomes enough to identify a person (in itself or together with other data), the data is not PII. Having a browser history associated to a random guid might be PII (because the browser history might pinpoint the user, not the guid!). But having a random guid associated to say "has run VS code 12 times this year" is not.
No, telemetry is not something MS needs to fulfil the primary purpose of VS Code. Best example is that the OSS version is there, without any telemetry enabled by default, still doing by and large the same job.
Legitimate interest doesn't mean absolutely essential.
The OSS version obviously benefits from the telemetry (to the extent telemetry is useful) because it's downstream of the version developed based on the telemetry.
"Disclosing an IP address" maybe a matter of the medium of comms being inadvertently TCP/IP, if MS does not log or store the IP in a meaningful/reversible way, are they processing PII?
in the Google fonts CDN the court ruled that: it's irrelevant if the website or Google had the opportunity to link the IP address to the user. the mere possibility of this is enough to consider it as protected PII.
Question is whether Google Fonts CDN/server was storing the IP address or not. Linking to a user is secondary. If a server does not log or store raw IPs in the first place, where's the fault?
My man you are arguing with an established case verdict.
https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
The wording that is irrelevant what Google does with the IP (just the theoretical possibility of misuse is enough) is in the case verdict.
Per Wikipedia Germany's legal system doesn't have the concept of binding precedent. (And even if it did in no country is the decision of a trial court binding precedent).
no, the IP should not be exposed to any third party not only to the final destination. Tor would hide the IP from the final destination but still expose it to the first relaying party.
The first relaying party would see the IP address, but none of the telemetry data. I think it's only the combination of the two that is legally a problem,
That said, consent is not the only grounds on which you can process PII. Contract, legal obligation, vital interests, public task, or legitimate interests are also valid grounds. Of these, legitimate interests is the most applicable in this situation.