Sorry, was going on the case of "if you're not an ISP"
IP, when tied to other data becomes the scope of personal data.
However, removing the other data renders it no longer personal data.
This firmly puts it in the "it's not personal data" camp. Since it's the other data that is personally identifiable that gives it context.
It's only relevant for ISPs really, but really good job on proving my "creating confusion for no reason" point.
In the context of online accounts (in video games, where I work) it can't be used to identify real world people because we don't ever link to a real world identity. In cases where you log details about people individually (as in- a bank) you just don't log user details beside access logs and you're set. IP on it's own is not personally identifiable, and is out of scope for GDPR.
I have taken the same stance. Have had lawyers tell me that I am wrong. Have had other lawyers telle the opposite. -shrug- when it specifically lists IP address as an example of PD in one section, the fact that another says things are only PD if you can identify a person doesn't NECESSARILY over rule that.
I think a lot of this is a red herring. If you are gathering the IP address under the contract lawful basis, then it doesn't matter if it's personally identifying or not. Where it get's tricky is when you are not gathering the IP address under contract lawful basis.
The tricky thing about GDPR is choosing the correct lawful basis. I think people reach for the legitimate interest card too quickly because they see it as a "get out of jail free" card. But then it ends up complicating things enormously -- especially since legitimate interest can be objected to. I've seen people agonising in public about what to do because the personally identifying information is necessary to provide the service they are offering. If you're in the situation where if someone objects to the use of their data, then it breaks the whole service -- well you're in contract lawful basis territory.
IP addresses are potentially complicated, though. I'm not sure what's supposed to happen when you receive personally identifying information from someone that you don't have a contract with. The law does seem to be vague on what constitutes a "contract", because in some cases it seems to imply something different than what contract law says (i.e. if there is no consideration, it seems I can still use contract lawful basis). In this situation, if I have a P2P network and I need your IP address to fulfil my side of the protocol, then I should be able to use it under contract basis. However, I'm unclear about the actual legality of it -- especially when the information is sent to you by an intermediate node.
To me, that's what needs to be cleared up. I expect it will be over a period of time. I don't think the law was written with that kind of stuff in mind. It's kind of interesting, though. I imagine it is a violation of the GDPR to track what individuals are downloading in bittorrent without giving them a legitimate interest notice, though (and allowing them to object! and be forgotten!). It will be interesting to see if anybody complains about that kind of thing.
That case literally does not support the claim you make. The court decided that:
* dynamic IPs can be considered personal info if the entity collecting them has legals means to get additional information related to that IP (these legal means exist in Germany, if the entity believes they are being cyberattacked)
* according to the less restrictive law though, "The operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyberattacks"
* note then that: this issue is no longer an issue (since GDPR is in play now) and that GDPR actually allows the collection of dynamic IPs if the entity needs to do this to protect from cyberattack
It's kind of funny. You say "case literally does not support the claim" I make then continue to say what I said in a different way.
I was responding to a person that was claiming that essentially IP addresses are only personal data for ISPs or ISP like businesses. Which is simply not the case.
I didn't say IP addresses were always considered personal data, I simply said it can be personal data, which you also stated in your post. That it's not cut and dry. The person I was responding to was posting that IP addresses are definitively NOT personal data.
The point is, context for IPs matters. The person I was replying to was way over simplifying.
I'm not entirely sure what claim you think I made that the case doesn't back up as you essentially stated what I did just with more specificity. In any case I totally agree with your post since it's the same point I was making :)
IP, when tied to other data becomes the scope of personal data.
However, removing the other data renders it no longer personal data.
This firmly puts it in the "it's not personal data" camp. Since it's the other data that is personally identifiable that gives it context.
It's only relevant for ISPs really, but really good job on proving my "creating confusion for no reason" point.
In the context of online accounts (in video games, where I work) it can't be used to identify real world people because we don't ever link to a real world identity. In cases where you log details about people individually (as in- a bank) you just don't log user details beside access logs and you're set. IP on it's own is not personally identifiable, and is out of scope for GDPR.