|
Web logs are not a punishable offence under the GDPR, if you have a legal basis for retaining those logs and reasonable retention and data minimisation policies. If those are in place and you've documented them, you have nothing to worry about. Why? You have a legitimate interest (one of the six legal bases under the GDPR) to combat fraud and maintain information security. That's the primary reason you have those IPs in your logs in the first place. If you're using those logs for analytics purposes, things get slightly murkier, but if you're just using IP addresses to enrich your log data with GeoIP, you should be fine. You might even be able to get away with more granular third-party databases, but the more detailed you get, the closer you get to profiling (which is not where you want to be, if you want to minimise your legal fees). More to the point, I don't understand all this talk about web logs being illegal. If people have collected and processed personal data without thinking about the whys and wherefores, isn't it just a good thing this makes one think about what one is logging and what it's used for? Granted, IP addresses are far from sensitive (depending on your threat model), but I've seen things in technical logs that make me happy about reliable automated retention policies. Also, granted, it's a hassle - that's the price you pay for privacy. I'd still be glad if nginx et al shipped with more GDPR-compatible defaults. |
If people are creating software that burns fossil fuels without thinking about the whys wouldn't it be a good thing to have a law that regulates how we use electricity? Shouldn't an EU regulator have input on whether you can release your new blockchain app? You should be fine if its purpose falls into one of the covered categories...
People are creating online communities that enable abuse of members. Do we need statues and regulations to mandate abuse protections in online interactions and punish platforms that allow users to abuse other users?