I have submitted this because it is frequent to see on HN claims that IP addresses are personal data under GDPR. I’m yet to see a good source for this blanket statement, and this link contains a more nuanced analysis, essentially saying that IP addresses are only personal data in some cases, where they can be used to identify a person (without involvement of the ISP).
The coverage of GDPR I've seen (and in my view, the regulation itself) has been pretty clear that data becomes covered "personal data" only to the extent that the data, in aggregate, can be used to identify a real person.<p>So an IP address <i>on its own</i> is almost never personal data, because of wifi, NAT, dynamic IPs, shared devices, etc. Then again, a <i>name</i> is almost never personal data on its own either, "John Smith" could refer to any one hundreds of thousands or people or it could be a pseudonym and refer to literally billions of people.<p>But if someone registers on your site, and you log the IP address <i>and</i> their name, you're a lot closer to persona data. Add a timestamp, and you probably can identify a real person.<p>So if you're trying to be careful about GDPR, you should probably be careful about storing IP addresses (or IP addresses that can be linked to other bits of potentially personal data). The focus of GDPR compliance can't be on "oh this field is fine, but this field is personal data", it should be on what you're collecting in aggregate. That makes IP addresses dangerous, because they provide a lot of information that could be used to identify someone.
This is an odd ruling to me.<p>If an ISP is willing to sell that data, are IP addresses now PII for everyone?<p>If one part of a company has such a DB, does it apply to every part of the company? What if it's multiple companies owned by a conglomerate?<p>If you include an image (or a font!) from somewhere else in a web page, you are causing the user's IP address to be sent to the hosting party, are you liable for sending PII if the target can link IPs to names, because they (e.g. Google) have a DB?
The main takeaway (IMO) from this article is right here:<p>> <i>However, businesses should note that if they have sufficient information to link an IP address to a particular individual (e.g., through login details, cookies, or any other information or technology) then that IP address is personal data, and is subject to the full protections of EU data protection law.</i>