[Nextgrid]

IP addresses for starters, which are considered personal data under the GDPR.

Keep in mind that the mere transfer of the IP address (which is inherent in a TCP connection and cannot be avoided in the default setup without proxying it yourself) is enough, regardless of whether Google will actually store said IP or anonymize it (not that you should trust them in any case).

[fooster]

IP addresses by themselves are not personal data.

[martin_a]

They can be used to track and identify users, so they are personal data.

My IP address hasn't changed in some time, so if someone was to connect various sources of information, he would be able to identify me personally

[origin_path]

They can be used to track and identify users by the police. Not by third parties, because ISPs won't give out identifying information to those.

That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying. Otherwise there's a lot of obvious problems e.g. if you were in the habit of wearing unusually distinctive clothing, or had an interesting bumper sticker on your car, etc, then all those things would become "personally identifying" even if nobody who saw them had any idea who you are. There are also deep moral limits to how blind you can insist other people become.

[zelphirkalt]

> That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying.

I think the rules are usually though, that when those correlating things are put together, into one system, then the combination of those things are in sum personally identifying. That can actually happen very quickly and in non-obvious ways. You might add something inconspicuous and suddenly that makes users unique and allows to map in any theoretical way to real identities.

I think one also has to consider publicly available information sources. Just to make a silly example:

If there was some public register of favorite foods of people, and you asked your users about favorite foods, which you store in your database. Ooops, it is personally identifying, because anyone with that data in hand could map it to identities using publicly available data.

However, I am not so sure, that the publicly available data is considered for judging whether something is personally identifying information.

[origin_path]

But, you can't map to "identities" in most of these cases. That's why these laws don't seem to make any sense. An identity is a powerful thing but, an IP address is not an identity. Just knowing one doesn't tell you anything, nor does it let you look anything up unless you happen to have multiple sites that the user is browsing - and even then, not really, due to IP address re-use.

[zelphirkalt]

The conversation was about correlations and not merely about one attribute like IP addresses.

An IP address limits the location of a person significantly, unless they use VPN or so, which most people do not, so it cannot be assumed, but rather one must assume, that they do not use VPN.

Add one more attribute and through correlation you might already be able to map to an actual identity. It can happen very easily and you don't want to be an organization, which suddenly realizes, that some of their data has accidentally become personally identifying, when the next data protection audit happens.

Data also does not stay in one place only. It travels from department to department, often from organization to organization even. It has these tendencies, unfortunately. Each actor might have some data as non personally identifying, but when they sell and combine, suddenly it becomes personally identifying data.

An IP address is a very critical part in the data about users and ISPs are not to be trusted to never give their data to another actor. Many ISPs are shady businesses.

[martin_a]

It's easy, I will quote myself:

> Connect my login into my personal Google account with the same IP address over and over to all the script calls on other Google services.

That's it. That IP address is _pretty sure_ me and not somebody else and therefore a personal information.

[morelisp]

> Not by third parties, because ISPs won't give out identifying information to those.

lol

[pelorat]

How so? Your almost fixed IP address does not leak your real identity, at most it leaks your ISP.

[morelisp]

You're making the argument that it's not PII, which has no bearing on if it's personal data.

[martin_a]

> How so?

Connect my login into my personal Google account with the same IP address over and over to all the script calls on other Google services.

It's pretty easy to connect the dots once you have a far enough reach.

[manuelmoreale]

They are according to the GDPR and that’s all that matters when it comes to the issue discussed here.

[judge2020]

> IP addresses for starters,

https://support.google.com/analytics/answer/2763052?hl=en

[Nextgrid]

Have you read the second paragraph of my reply?