|
|
|
|
|
|
by rndgermandude
1585 days ago
|
|
|
There were rulings finding IP addresses by themselves are already PII[0], because an IP address might be tracked back to a person. E.g. an IP address can potentially be used to go to an ISP and request the subscriber information, and the subscriber information potentially identifies the user of the IP address at a given time, if the subscriber cannot name anybody else who could have reasonably used used the IP address at a given time. Courts found that this abstract risk is enough to qualify IP addresses as PII, as they can potentially identify people indirectly. The recent German ruling about loading Google Fonts without prior consent explicitly mentioned these rulings and made them a core part of their own conclusions. [0] The most important ruling is the Breyer ruling (C‑582/14), that found, answering question one, that "dynamic" IP addresses are PII. Further rulings have regularly found that "static" IP addresses are PII, and that you cannot really know what is a "dynamic" and a "static" IP address with reasonable certainty anyway. "Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person." https://curia.europa.eu/juris/document/document.jsf?text=&do... |
|
|
They are personal data because they are a fact about an identifiable person and thus fall under the GDPR's processing requirements esp. relevantly when transferring to third-parties; but they are not per se PII.