[kuschku]

For HTTP logs, allowed use would be e.g. stripping the last octet of an IPv4, or stripping the last 64 to 80 bytes of an IPv6.

That’s generally not identifying a single person anymore, and usually good enough for anything else.

[eadmund]

> For HTTP logs, allowed use would be e.g. stripping the last octet of an IPv4, or stripping the last 64 to 80 bytes of an IPv6.

> That’s generally not identifying a single person anymore, and usually good enough for anything else.

'Usually'? Even if true (highly doubtful), that's not the same as 'always.' The whole purpose of logs is to be truthful accounts of pertinent data. A full IP address is a pertinent datum.

I'm going to step up on my soapbox and assert that any law which forbids me from indelibly recording that 192.0.2.17 requested /all-your-records-are-belong-to-us is a bad law.

[lokedhs]

The GDPR does not forbid you to do those things.

It does require you to treat the information as PII, which is going to give you some hassles, but you are not banned from recording it.

[eadmund]

I'm banned from recording it immutably, which is the only proper way to record a log (it should be impossible to alter a log after it's written).

If I want to record that a particular address accessed my system forever, that is my right.

Interestingly, the GDPR exempts records required for legal compliance. So it's okay to hold onto data for the law's purposes, but not my own? That's a bit one-sided.

[iovrthoughtthis]

This does not make the data not PII as if used in conjunction with some other data it could still be used to identify a natural person.

[kuschku]

If you have such additional data, yes.

In the general case (e.g. hosting a simple website where you strip user identifiers and the last octet out of the nginx logs) it becomes no PII then.