Hacker News new | ask | show | jobs
by kiallmacinnes 1595 days ago
Honestly, it's not that big a leap to reach this interpretation.

1) Your IP address is considered personal data, as it can be used to identify you. In general, everyone can see and agree with this.

2) In the absence of additional protections and/or contract terms[1], the transfer of personal data out of the EU is an offense under the GDPR (well, technically it's not out of EU, but transfer to a country without GDPR equivalence).

So - embedding code / data from a 3rd party into your website results in a transfer of personal data.

[1] The idea of additional protections/contract terms is even questionable, but that's a whole other thing...
1 comments
kleiba 1595 days ago
1) Your IP address is considered personal data, as it can be used to identify you. In general, everyone can see and agree with this.

Only if you're the sole user of that IP, which is e.g. not the case in a family.

link
rndgermandude 1595 days ago
It is enough to identify whoever is paying for the internet access, which is enough, in itself. And it might be enough to identify the actual user with "reasonable" certainty, e.g. if the user was home alone at the time the IP was used.

Courts found that it doesn't have to be demonstrated that a user can be identified, the abstract reasonable risk that a user could be identified is enough to turn an IP address into PII (and this ruling explicitly mentions this).

link
kiallmacinnes 1595 days ago
I stand corrected - not everyone can agree!

In reality, as a service provider, you have no ability to determine if the client IP belongs to an individual or not - so you have no choice but to assume it does identify an individual.

link
_ixnm 1595 days ago
This is ludicrous. Nginx logs are regulated now? What if you just want to make a static website and get on with your life?
link
isbvhodnvemrwvn 1595 days ago
You're not sending your nginx logs to Google, a well known advertiser, do you?

In this case you can store IP addresses if you have a legitimate reason (e.g. you can show you need it for troubleshooting etc), as long as it's reasonable and doesn't infringe on the rights of the user, and you have documented it along with the retention strategy.

link
orra 1595 days ago
No, that's not a criteria for “personal information” under GDPR.

Your name or your date of birth or your postal address isn't unique either, but they are still personal information.

link