|
|
|
|
|
|
by stevetrewick
2966 days ago
|
|
|
IP addresses are only PII if you are able to actually use them identify an individual. > The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if: there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. [1] So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name). [1] https://www.whitecase.com/publications/alert/court-confirms-... |
|
|
Makes sense.
Given the above still seems like a potential issue to not delete the ip logs.
1) Bob signs up for a service and is logged
2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.
3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.
Weather the data processor can relink the two records with reasonable probability in step 3 depends on the particulars of the circumstance.
I assume cases like the above will be judged, at least in part, based on the data processor following best practices, and operating in good faith(not actively trying to unmask individuals and actively try to prevent unmasking).
Currently I would not let the GDPR stop me from going forward with any web services plans, however my casual reading of GDPR articles on HN and beyond have not made it obvious how cases like the above will be handled.