But GP has a point: An IP address (together with a timestamp) may be used to identify you a person but if it's not connected to actual personal data (e.g. what website you visited), "leaking" it to Google doesn't provide Google with any data about you.
I mean, IP address ranges are publicly known. If I now run a `for` loop over all IPv4 addresses and write them to my HDD, am I suddenly illegally storing personal data of all the people behind those IP addresses? Obviously no. An identifier by itself is not worth anything, unless it's connected to actual personal data.
EDIT: Never mind. GP's assumption that "there’s no Referer header - which there won’t be, assuming Referer-Policy is set sanely (which by default it is in all browsers)?" does not seem to hold in my browser. So Google does not only receive the IP address but also the HTTP REFERER.
The court judgement addresses this exact point. There are previous judgements (Breyer v Bundesrepublik Deutschland) that establish that dynamic IP addresses are personal data. There are reasonable means to identify the data subject with the help of third parties, such as the ISP. “For this it is sufficient that the defendant has the abstract means for identification of the person behind the IP address. Whether the defendant or Google have the concrete means for linking the IP address with the plaintiff is irrelevant.”
That there is correlating information like timestamps, useragent strings, or referer headers increases the likelihood of actual identification, but the mere reasonable possibility of identification is sufficient for IP addresses to be personal data.
You are extremely naive if you believe Google can't infer anything if the referer is missing.
An IP + user-agent combination (both of which are sent) is enough to uniquely identify a typical home user with high certainty unless they're behind a carrier-grade NAT and use a very popular browser.
> If I now run a `for` loop over all IPv4 addresses and write them to my HDD, am I suddenly illegally storing personal data of all the people behind those IP addresses
That's actually a good point. The IPv4 space is pretty limited. I guess the GDPR law makes it PII if you bundle both the IP with an action made by that IP (e.g. that IP visited that website).
codethief|4 years ago
I mean, IP address ranges are publicly known. If I now run a `for` loop over all IPv4 addresses and write them to my HDD, am I suddenly illegally storing personal data of all the people behind those IP addresses? Obviously no. An identifier by itself is not worth anything, unless it's connected to actual personal data.
EDIT: Never mind. GP's assumption that "there’s no Referer header - which there won’t be, assuming Referer-Policy is set sanely (which by default it is in all browsers)?" does not seem to hold in my browser. So Google does not only receive the IP address but also the HTTP REFERER.
latk|4 years ago
That there is correlating information like timestamps, useragent strings, or referer headers increases the likelihood of actual identification, but the mere reasonable possibility of identification is sufficient for IP addresses to be personal data.
Nextgrid|4 years ago
An IP + user-agent combination (both of which are sent) is enough to uniquely identify a typical home user with high certainty unless they're behind a carrier-grade NAT and use a very popular browser.
XCSme|4 years ago
That's actually a good point. The IPv4 space is pretty limited. I guess the GDPR law makes it PII if you bundle both the IP with an action made by that IP (e.g. that IP visited that website).