Under GDPR any kind of data processing falls under the protection umbrella. And that includes the data processing that automatically happens during the creation of a TCP/IP connection - where the recipient party automatically gains knowledge of the IP address of the other side.
For a web site itself this is generally fine as it is a technical necessity and intended by the user... however stuff that is not necessary to fulfill the user intention such as any kind of tracking or telemetry is opt-in only.
And yes this was and is the explicit intention why the GDPR was passed in the first place: get rid of involuntary tracking, telemetry and other data thefts.
> Under GDPR any kind of data processing falls under the protection umbrella.
If processing IPs always required consent, every website, app, and operating system would have to come with a cookie banner. Instead, processing IPs falls under the "required to make things work" banner. I'm sure VSCode processes your IP address for many things such as installing extensions and updates and nobody is arguing they need consent for those.
This particular case is complicated since it's telemetry, however, they are gathering non-identifying data.
I suspect this is currently a grey area of the GDPR which would take a lot of money and lawyer time to work out. In the meantime, MS (and many others) are taking the point of view that this non-identifying data gathering is important for the work of making the software better and therefore doesn't require consent. Personally, that seems reasonable. None of my actual identifying data is being collected, so this matches the spirit of the law at least, if not the letter.
> If processing IPs always required consent, every website, app, and operating system would have to come with a cookie banner.
Or, you know, they could just not do data collection or limit to reasonable amounts? The way stuff used to be before ubiquitous broadband connections? As the GDPR intended?
> Instead, processing IPs falls under the "required to make things work" banner. I'm sure VSCode processes your IP address for many things such as installing extensions and updates and nobody is arguing they need consent for those.
Because installing updates is something the user wants and needs (and is recommended by international IT security standard). But telemetry is not something the user wants or needs and the software works fine without the data, therefore it should be opt-in only.
The problem: Microsoft formally has the Ireland subsidiary listed for data processing (as many US tech companies do), and the Irish DPO is notorious for being slow and lax. It will take years for courts to decide on that matter.
Well, I honestly don't care enough about non-identifying data being collected to continue this discussion. However, if you really feel that this is illegal under the GDPR, rather than wait for lawyers to get involved (which might never happen), why not open an issue on the VSCode repo and discuss it there?
Even if they dismiss it, it might help matters for lawyers at a later date - as in, they can point to the issue that was opened and say, you cannot deny being aware of this issue because you dismissed people's concerns previously.
For a web site itself this is generally fine as it is a technical necessity and intended by the user... however stuff that is not necessary to fulfill the user intention such as any kind of tracking or telemetry is opt-in only.
And yes this was and is the explicit intention why the GDPR was passed in the first place: get rid of involuntary tracking, telemetry and other data thefts.