Hacker News new | ask | show | jobs
by srrr 1423 days ago
That is not true. IP addresses are explicitly stated as personal data. That they are a technical requirement for a connection only has repercussions on how you are allowed to store and process this data and the consent you need to get from the user for your data processing.

You are not allowed to send IP addresses (even if they are a technical requirement for connection set up) to companies under US government control before you get full consent from the EU user.

The "technical requirement" exception (to process data without consent) only applies to GDPR complaint data processors which US companies can't be because of the Cloud Act.

https://ec.europa.eu/info/law/law-topic/data-protection/refo...
1 comments
jacquesm 1423 days ago
There is a huge difference between using your IP address in the course of the technical implementation of the IP protocol and the subsequent logging and re-transmission of that address to others, effectively you are agreeing with the GP while starting your comment with 'that is not true'. It is true. And you confirmed it.
link
srrr 1423 days ago
From what I understand the legal exception to process personal data without consent is written down in Article 6 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph b)

"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

This is ok for GDPR complaint data processors. The reason why US companies can't be GDPR complaint is because of Article 5 and the conflict with the Cloud Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

See also Schrems II: https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

It doesn't even matter if you asked for consent or have other reasons to process the data (Article 6) if you are not complying with Article 5.

link
jacquesm 1423 days ago
Since there is no way to give your consent without accessing the server this argument is moot.
link