Reading the GDPR text shows there is a bunch of exceptions for which storing of example IP-addresses can be done without anonymizing or consent, with one of the more clear cut being security. If the processing is done exclusively for security purpose then the site can argue in court that they are in compliance.<p>Compliance with the law is always about context. What is gathered, why and how is it used, and last is there additional factors to consider. Google Analytics in itself is interesting because it is not clear if Google themselves then process the data and for what use, especially for the enterprise version.
I don't have the text in front of me but I'm pretty sure there is an exception for member states government agencies (if they choose to have the exception). I wouldn't be surprised if this covers EU agencies and institutions as well.
This is a reasonable observation but I doubt anyone will care. Moreover it misses the point of GDPR.<p>The goal is not to improve people's privacy. It's too vague to achieve that. Obviously the EU doesn't care as even its own websites aren't in compliance - assuming this guy's definition of compliance is the same as theirs. How likely is it the rest of the EU's operations are? Zero likelyhood of that.<p>But that's OK. GDPR doesn't even have a concrete notion of what privacy or personal information actually are. The goal is not to improve privacy, that's just a fig leaf. The goal is to grant the EU large new powers over the private sector and in particular over American tech firms, who will repeatedly be fined and treated as, effectively, a new source of tax income. GDPR is so vague and open ended that there's no way they can ever be compliant, meaning the EU has a new source of cash for years to come. Very useful at a time when they are asking for budget <i>increases</i> despite years of austerity, and facing a budget hole due to Brexit, <i>and</i> member states are getting upset at their financial demands.<p>GDPR enforcement will be very similar to EU anti-trust policy - deeply political and immediately controversial. It is best understood not as a law but as a political move, sort of like how China uses laws against pornography to justify blocking foreign search engines, or how it uses a law against 'spreading rumours' to censor domestic social media.