27

Countless websites are served by webserver software (Apache, nginx, etc.) which logs the source IP address of every web page visit. The GDPR considers an IP address "personal data" that is subject to the GDPR. The GDPR requires consent of the subject for collection or storage of personal data (in this case, IP addresses in a log file). How is a website owner supposed to acquire consent by way of the website if the very act of visiting the website page to acquire consent records the "personal data" about which consent is being granted?

Obviously, the option is available to website owners to configure their webservers not to log IP addresses, but that has security implications. Do these security concerns suffice to absolve a website owner from requiring consent to log IP addresses? Is a prominent notice (on every page, until dismissed) sufficient?

How is the GDPR supposed to be interpreted with respect to the extremely common and prevalant practice of IP address logging?

(I have read Would GDPR affect my own personal website? and the answers at the time of this writing are not sufficiently satisfactory. Article 6, paragraph 1 does not make the question of automatic IP address logging without explicit consent clearly acceptable or not. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN )

bdb484
  • 58,968
  • 3
  • 129
  • 184
Pistos
  • 373
  • 1
  • 3
  • 6
  • 2
    Possible duplicate of Would GDPR affect my own personal website? – SJuan76 May 17 '18 at 22:30
  • 3
    I would ask even a stronger question - does merely having a website necessitate asking for consent from EU visitors? From GDPR: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;" And you need to use the IP to send back the response! – kozyr May 18 '18 at 00:38
  • I do not think this is a duplicate of Would GDPR affect my own personal website? That question asks about IP address logging on a personal website, and one of the upvoted answers is based on the fact that the site is personal. This question asks about IP logging for any website site - whether personal or not. – Free Radical May 19 '18 at 03:19
  • @kozyr. Your "stronger question is based upon the same misunderstanding as the OP - that the GDPR makes consent a mandatory requirement for all processing of personal data. This is simply not a correct understanding of the GDPR. – Free Radical May 19 '18 at 03:25
  • I see lots of debate on this subject. IP addresses are personal data because it clearly states that in the law. Even though in some cases you may get away with it, all ip addresses should be considered as personal data and should be treated as personal data. – Mark McCormick Aug 16 '21 at 03:47

2 Answers2

28

In the question, you write:

The GDPR requires consent of the subject for collection or storage of personal data (in this case, IP addresses in a log file).

No, it does not.

To quote Miss Infogeek:
GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA.

Consent (Article 6 (1)a) is indeed one of conditions that can be used to comply with the GDPR requirement that processing must be lawful, but it is not the only condition available to the controller to ensure lawful processing – there are alternatives (before the list of conditions it says that "at least one of the following" must be satisfied).

All the conditions for lawfulness of processing are spelled out in Article 6 of the GDPR.

One of alternatives are Article 6 (1)f. It says says it is legal to process personal data if

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (my emphasis)

As noted in the question, logging IP addresses for the purpose of security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices. It is the default, and most (all?) web-sites do this.

I.e. it is legal to do this without consent (if this is not the case, I am pretty sure the outcry had been heard all over the Internet by now).

Free Radical
  • 3,212
  • 15
  • 28
  • Thank you for this answer. It hinges on IP address logging being "for the purpose of a legitimate interest", but I think I am comfortable assuming that. – Pistos May 19 '18 at 05:47
  • I will, but I'll give it time to see if anyone else has anything else to add. – Pistos May 19 '18 at 19:40
  • 4
    "It is extremely hard, if you are not law enforcement, to connect an IP-address to a natural person" it really does not matter if it's hard or easy to connect IP to natural person. As long as you can do that this is personal data. If you really are storing IP for security practices then this complies with GDPR; but if you store IP for e.g. geolocation tracking or serving geolocalized ads then (without consent) it's not. – Marian Paździoch May 21 '18 at 10:50
  • "It is the default, and most (all?) web-sites do this." actually no, if I have a private blog web page (e.gg static page hosted on github pages) and I use GA for checking who reads it, then GA may collect IP but definitely not for security reasons (but for tracking reasons which is not compliant with GDPR without user consent). I believe this is why IP anonimisation was intrduced https://support.google.com/analytics/answer/2763052?hl=en – Marian Paździoch May 21 '18 at 11:46
  • @MarianPaździoch. I do not understand this latest objection. Where do I say that letting Google Analytics profile my users " is the default, and most (all?) web-sites do this". I think it should be clear from that paragraph that I write specifically about "logging IP addresses for the purpose of security" and not about logging IP addresses for other purposes, including tracking, profiling and analytics. – Free Radical May 21 '18 at 12:17
  • I meant this is neither default nor common - you have to explicitly do something to make it "for secure reasons" (my example is some random private blog web page who uses GA for checking who reads it) – Marian Paździoch May 21 '18 at 12:51
  • 4
    @MarianPaździoch. No, you do not have to explicitly do something to enable security logging. When you first set up Apache, it logs IP-addresses by default. And it does this for security purposes (that's what it says in the manual). In fact, you need to have some knowledge about Apache to turn this logging off. When you first set up a web-site, it does not send IP-addresses to Google (or any other external website by default). Google makes it very easy for you to add the tracking JavaScript to your site, but you have to do this. – Free Radical May 21 '18 at 13:11
  • 2
    @MarianPaździoch part of the misunderstanding here is that having a blog page on github is not setting up a website as Free Radical is using the term; it's using an existing website, in this case github, to host your blog. In that case, you have no control over the web server, its logging configuration, or its data collection and processing practices. – phoog May 25 '18 at 02:20
  • So if GitHub pages logs IP addresses and the maker of the site collects no information AT ALL then does the owner have to enforce users rights on GitHub?Joint controller scenario?India,USA Australia there is no notice but for EEA Google gives notice in blogspot.So how is GitHub pages different from blogger or Google sites.If they need a notice why will GitHub not? – rightlifesavecompenthusiast Nov 04 '20 at 07:35
3

The GDPR considers an IP address "personal data" that is subject to the GDPR.

That seems to be a common misconception.

From GDPR: 'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An 'identifiable natural person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In a particular set of circumstances, can you identify natural persons by using IP addresses and other data, or IP addresses alone? If you can't, then the IP addresses being collected in those circumstances are not personal data.

Lag
  • 16,878
  • 2
  • 39
  • 61
  • "an online identifier" isn't IP an "online identifier"? – J. Doe Feb 25 '20 at 19:43
  • @J.Doe It can be. – Lag Feb 25 '20 at 20:06
  • 1
    @Lag, IP alone doesn't allow you to identify a person. However, combined with other information it can be used to identify a person. Thus it is personal data. – riggedCoinflip Sep 22 '20 at 06:00
  • @riggedCoinflip Is it personal data when it cannot be combined with other information to identify a person? – Lag Oct 01 '20 at 07:27
  • 1
    @Lag I strongly disagree. It is possible to identify the owner of an internet connection by its IP address. Therefore it is considered personal data. – dmuensterer Oct 06 '20 at 10:59
  • @dmuensterer 1. Do you think 8.8.8.8 is personal data? 2. Possible for who? – Lag Oct 08 '20 at 09:11
  • 2
    @Lag 1. I don't understand the discussion. It is a fact that under european law, IP addresses may be considered personal data (https://gdpr-info.eu/recitals/no-30/) which is why IP logging of residential IP addresses needs to fall under the six bases for personal data collection. 2. Easily possible for the ISP or any entity asking the ISP to deliver the data, e.g. public authorities or legal firms . – dmuensterer Oct 08 '20 at 10:54
  • @dmuensterer "It is a fact that under european law, IP addresses may be considered personal data" - yes, "may be", that's my point, it is not saying they "are". "Natural persons may be associated with online identifiers ... This may leave traces ... [This] may be used to [identify people" - not, "Natural persons are associated with online identifiers ... This will leave traces ... [This] is used to [identify people]." Understand the distinction? – Lag Oct 12 '20 at 11:20
  • @dmuensterer This is why riggedCoinflip mentioned combining the info with other data and why you talk about ISPs and such being able to identify people from IP addresses - because ISPs can know the IP addresses assigned to their users. If I run a one screen website, a simple bit of marketing blurb, I've got IP addresses in the web server logs but I can't identify users from them or other info to which I have access. In that context they are not personal data. – Lag Oct 12 '20 at 11:24
  • "I've got IP addresses in the web server logs but I can't identify users from them or other info to which I have access. In that context they are not personal data". No, they are. The fact that you specifically cannot identify the person behind it is irrelevant. – dmuensterer Oct 12 '20 at 13:13
  • @dmuensterer Go on... – Lag Oct 12 '20 at 13:18
  • @Lag The criteria is not that the person legitimately storing the data can determine the natural person associated to it. It is there are people who could if they possessed the data. Obviously not every IP address is personal data, but the fact, that almost only consumers will visit the average website leads to a very high amount of residential IP addresses. If you don't want to pick out the corporate ones, you'll need to treat every address as if they were personal data. – dmuensterer Oct 12 '20 at 15:28
  • @dmuensterer OK, I disagree that the legal criteria is any person if they possessed the data. The criteria is "the means reasonably likely to be used by the controller or by another person to identify the natural person". I agree that in practice a website admin should err on the side of caution. – Lag Oct 15 '20 at 13:01
  • so residential IP by itself is not pii but if you can prove that it was matched with the name on the account or some pii, it is pii, right? – kirill_igum Nov 04 '20 at 04:34
  • It's interesting because a few years ago, people were getting into a lot of trouble for illegal downloads based on IP. – kirill_igum Nov 04 '20 at 04:36
  • @dmuensterer "It is possible to identify the owner of an internet connection by its IP address. Therefore it is considered personal data." --

    It's no more possible than identifying a taxi passenger by the taxi plates. If the driver kept detailed info on the passengers - their ID, time of ride - then it might be possible. Otherwise, just the plate won't say anything.

     – Yuri Geinish Nov 13 '21 at 21:22