Most server/frame works log ip address, but do not tie them to an account. If the account is deleted and the ip addresses are not than that seems like a potential violation as long as ip addresses are considered personal information. As a result the most common configuration is potentially in violation.
How about asking and recording a persons birthday when really all you need to know is if they are the age of majority? A birthday is more information than needed which seems like a violation GDPR when interpreted strictly with my cursory knowledge. Seems unlikely though that any regulator would enforce such a distinction though.
IP addresses are only PII if you are able to actually use them identify an individual.
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual. [1]
So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).
> So once the account info is deleted, that link is broken. This another piece of DP legislation that has been subject to a great deal of FUD since most of the headlines just went with ‘court confirms IP address are PII’ and omitted ‘in some cases’. TBH, this was already pretty explicitly obvious from the legislation defining Personally Identifiable Information (hint: clue’s in the name).
Makes sense.
Given the above still seems like a potential issue to not delete the ip logs.
1) Bob signs up for a service and is logged
2) Bob than asks for his account to be deleted. Account details are deleted, but the ip logs are retained.
3) Bob signs back up for a new account allowing the data processor to make the link from his new account to his ip old logs with the first account.
Weather the data processor can relink the two records with reasonable probability in step 3 depends on the particulars of the circumstance.
I assume cases like the above will be judged, at least in part, based on the data processor following best practices, and operating in good faith(not actively trying to unmask individuals and actively try to prevent unmasking).
Currently I would not let the GDPR stop me from going forward with any web services plans, however my casual reading of GDPR articles on HN and beyond have not made it obvious how cases like the above will be handled.
How about asking and recording a persons birthday when really all you need to know is if they are the age of majority? A birthday is more information than needed which seems like a violation GDPR when interpreted strictly with my cursory knowledge. Seems unlikely though that any regulator would enforce such a distinction though.