It is quite easy really. If you are not able to identify a person by IP it is not PII. It MAY be PII for ISPs for example if they are able to associate the IPs to customers so they would have to treat it as such.
>personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The lack of an actor in the sentence is key. In other words, just because you can't identify the person with the data you have doesn't mean it's not PII. If a piece of data can theoretically be traced back to a person then it's PII.
GPDR is extraordinary in its attempts to be as broad as possible. As written it covers effectively every bit of data you collect.
The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
On the facts, if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD.
The CJEU also did not ask the specific question in that case - Were the BRD LIKELY to identify Mr Breyer? If this is something that you have never done before or will do in the future then it is not likely that you will try to identify someone by their IP.
>Where a piece of information (such as an IP address) does not directly identify a person, that piece of information will nevertheless be personal data in the hands of any party that can lawfully obtain sufficient additional data to link the information to a person's real world identity
In a world of data brokers that makes IP addresses PII. The only way it's not is if you verify that there is no way you can lawfully obtain additional data to link the IP to a person. I don't see how you can practically do that.
In UK it is not even a requirement for an ISP to keep those records but that is not the topic to address, so who is able to legally obtain that data and is it something that you are reasonably likely to do?
You can see why people err on the side of caution.
>who is able to legally obtain that data and is it something that you are reasonably likely to do?
Any other 3rd party that has obtained their IP address and can legally share it with you. That's the problem. How do you ensure that something doesn't exist? Practically it's impossible.
>personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The lack of an actor in the sentence is key. In other words, just because you can't identify the person with the data you have doesn't mean it's not PII. If a piece of data can theoretically be traced back to a person then it's PII.
GPDR is extraordinary in its attempts to be as broad as possible. As written it covers effectively every bit of data you collect.