top | item 24868595

(no title)

nscmnto | 5 years ago

The IP address, on its own, should not considered PII.

There was a ruling in Breyer vs. Germany that IP addresses can be considered PII – in certain circumstances.

The case was brought against an ISP, and the court ruled that the company had enough correlating data at its disposal to make an IP address de facto PII for any of its customers. The court limited its ruling, saying that with just an IP address alone, the protections associated with the directive wouldn’t apply.

discuss

fogihujy|5 years ago

GDPR simply classifies "personal data" as any piece of information that can be used to identify an individual. A static IP used by one person could therefore be considered personal data while a public IP shared between thousands of people behind carrier-grade NAT would not.

The problem is that you can't tell the two apart and decide when it's safe handle the IP.

magicalhippo|5 years ago

Indeed. My dynamically allocated public IPv4 address, given to me by my cable company, has been the same for as long as I've lived here, over four years now.

Ironically, my IPv6 prefix can change several times a day...

yorwba|5 years ago

IP addresses IP addresses are never PII. PII means information about a person who can be identified. In that context, IP adresses are an identifier, not the information itself.

If you store IP adresses in your customer database, the information is that a person with that IP is one of your customers. This information is considered PII if it's possible to use the IP to identify the person the information is about, e.g. using a government database of everyone's IP address. If the data never reaches someone with access to such a database, it's not PII.

(This is a somewhat pendantic distinction, but it matters legally. Data protection law doesn't care about which identifiers are being used, but about the data associated with it and whether it tells you something about a specific identifiable person.)