9 comments

[ 2.7 ms ] story [ 32.3 ms ] thread
Personal data are so if they can be linked to an identified or identifiable person.

So in itself an URL would need to not only contain information that may be deemed personal but also information to identify that person.

In the case of logs I think the criteria are most likely met when considering that time, IP address, and metadata such as URLs are often collected to stored together. These 3 pieces of information together may then most likely become (sensitive) personal data.

Yes; It might not be clear, but my argument is that these sorts of logs are usually personal data (as they usually include IP-address or other person/device-identifier) – but if you have URLs too you run the risk of storing SENSITIVE personal data ("special category").
In general IP addresses are not personal data in themselves because the controller has no means to link them to individuals: If I operate a website I can log the IP addresses of visitors but I have no way of identifying those visitors (unless e.g. they are customers with accounts and can log in).

It is certainly good practice to treat logs as if they were personal data when it comes to handling and securing them but whether they are in fact personal data needs to be considered for each specific case.

You're incorrect – the GDPR mentions IP addresses specifically as an example of personal data in recital 30 [0].

The EU Commission also mentions [0] it as an example of personal data.

[0]: https://gdpr-info.eu/recitals/no-30/

[1]: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Of course IP addresses can be personal data. But in themselves they aren't. The GDPR do not claim otherwise, including recital 30.

The links you provide list examples of what may be personal data.

As already mentioned, and also actually stated in your second link, for something to be personal data it must be related to an identified or identifiable person. Their first paragraph summarises it well (the definition is of course the one in the GDPR):

"Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."

So if you have IP addresses and nothing else, you most likely do not have personal data. But if you have IP addresses of identified individuals (e.g. logged users personally identified) you most likely have personal data. This is in line with an ECJ ruling from 2016 and the GDPR have not changed that.

A problem is that people make shortcuts so "IP addresses can be personal data" becomes "IP addresses are personal data".

Sorry, but I still don't think you're right. In fact, your understanding doesn't sound like anything I've heard from anyone else. The link doesn't give examples of what can be, but what is personal data.

"Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."

This says something about the data, and how it relates to a person in itself – not what practical ways you have in a certain context, limited only to other information you have immediately available in that same context. It's about whether the individual is identifiable – the ICO says [0]:

"You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."

Otherwise, this next part wouldn't make sense:

"Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR."

It isn't an issue of whether you're able to identify the person given only the information you have available – but whether the candidate can be theoretically identified.

[0]: https://ico.org.uk/for-organisations/guide-to-data-protectio...

Well, I'm just describing what the GDPR and previous ECJ rulings say. The GDPR do not state in absolute terms that IP addresses are personal data. Another problem is that on these issues a lot of the material available uses the shortcut I described and/or is plain wrong. Then they all copy each other and a consensus emerges but it is based on an incorrect starting point.

I would also disagree with you when you say that your links list examples of what are absolutely personal data. Recital 30 uses "may be identified", because indeed that may or may not be the case depending on the context. The article from the Commission states the definition very clearly and only then lists examples. You cannot consider that list without reading the definition first.

The definition of personal data is that they must be linked to a identified of identifiable. That's the key. You always need to ask yourself if that's the case.

"This says something about the data, and how it relates to a person in itself – not what practical ways you have in a certain context, limited only to other information you have immediately available in that same context. It's about whether the individual is identifiable"

Whether an individual is identifiable depend on the context, and therefore many pieces of information are personal data only depending on the context and not in absolute terms.

Again, the link to the ICO you provide, and quote, explains this, as you say it is about whether the individual is identifiable (and the ECJ ruling below also addresses this). You'll also note that they are careful and refrain from stating in absolute terms that IP addresses identify individuals and are personal data:

"What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."

As said, this is in line with the ECJ ruling I mentioned [1]. If you are a normal website operator you have no way of identifying people from logged IP addresses unless these relate to your users (if you identify them personally) and you have no legal means to get that information. In this context IP addresses are unlikely to be personal data, but in the context of identified users then IP addresses are likely to be personal data.

[1] https://www.whitecase.com/publications/alert/court-confirms-...

We're talking past each other here.

The definition of personal data is "any information that relates to an identified or identifiable living individual [...] directly or indirectly"

This says nothing about being linked. It's about whether the candidate can be theoretically identified. This includes both _any_ information unique enough (having enough entropy, in the information theory -sense of the word) in and of itself, as well as information that can identify the data subject in combination with other data.

In summary: Whether a piece of data constitutes "personal data" is not dependent on "whether an individual is identifiable" from that isolated piece of data itself.

The concept is thus much broader, and totally different from Personally Identifiable Information (PII).

I used the word "linked", fine, I could have used "relate". I think "linked" is clearer because that what "relate" means in the context.

> Whether a piece of data constitutes "personal data" is not dependent on "whether an individual is identifiable" from that isolated piece of data itself.

Neither I not the GDPR claim that the person must be identifiable by the piece of data in itself, but rather that the person must be identifiable by the data the controller possesses or can have access to. That's the definition and the opinion of the ECJ on the matter (I linked a summary), and also what all the articles linked to in our discussion say.

For example, if I take a hospital database of all patients and their blood types, the blood types relate to (are linked to) identifiable individuals: They are personal data.

Now, I extract those blood types and go home with a list of blood types and nothing more. Now they are anonymous, they no longer relate to identified or identifiable individuals (I cannot know whom they relate to, they are no longer linked to identifiable individuals). Therefore, they are no longer personal data.

The same holds for IP addresses. In general, I cannot identify individuals if I only have IP addresses. That's why my point, and the legal position, is that IP addresses in themselves are not personal data. You need to consider a specific case and scenario to determine if they are personal data in that specific case.

Note that this is law, not science. "Theoretically identified" is not a legal concept. "Reasonably identified" is. Can an IP address at time t identify an individual? Yes. But in practice can the owner of a website reasonably make that connection? No, unless the individual has provided further information about themselves (see ECJ case).

Again, and in conclusion: The statement "IP addresses are personal data" is a shortcut and is not correct, though it can be used as a matter as good practice. The correct statement of the law is: "IP addresses can be personal data depending on the circumstances".