The ruling against google analytics in France is quite simple: google analytics as used by an unnamed website was not compliant with GDPR, because it exports user data to a country that has privacy laws that are not up to GDPR standards, which is not allowed. This is on the unnamed website and they or compelled to stop this illegal export of user data by either only exporting anonymized statistics or stopping use of google analytics entirely.
Of course this isn’t yet a perfect banning of GA and Google might be able to work around it, but it’s something. And in fact, anonymized statistics would probably be OK (depending on the details of course).
But this actually highlights exactly what I mean. What if I simply stood up a plain old Apache server to host my website but that happened to be hosted in the US. No analytics, just a few HTML files and that’s it.
I’m still in this scenario sending PII of EU citizens in the form of IP addresses to the US which are just written to /var/log/apache
It seems obviously different and yet as that ruling seems to imply it wouldn’t be unless I’m missing something here between first and third party capture or something?
This pops up regularly, but AFAIK it's not correct. The law is much more fine grained than the USA PII concept. IP addresses are only personal data (PD) if you are capable of using them as identification mechanism. If you don't they are not. This also means that something that is not PD for you, can become PD when you give it to someone else. Or that 2 items which are not PD themselves, become PD when you combine them. Or that being hacked turns non-PD into PD.
Even as PD, using IP addresses to maintain a website is fine, even without consent. Using them to track individuals is not fine. Having a log rotation policy and a sane security policy so you can demonstrate when you throw them away is a good idea.
To be short: Install debian, drop nginx on it, then let it log as it wants. This is legal. But don't you dare mine the logs for abusing PD.
Incorrect. In the "Breyer" ruling[0] the highest European court concluded that dynamic IP addresses are PII (not just personal data, and not just data), as there is an abstract risk that combining IP addresses with other data can lead to identification of a user. The ruling explicitly said that the mere risk of such an identification is enough, not that such an identification has to actually happen.
Subsequent rulings by many courts have found that all IP addresses are PII, for various reasons, such as "static" IP addresses bear the same risk of indirect identification, and there is no reliable way to distinguish between "dynamic" and "static" addresses anyway.
The recent German ruling that Google Fonts violates the GDPR just by transmitting an IP to google (by making the web browser fetch a resource from a google server) hammered home this point, citing the EU ruling again[0].
This is different to e.g. of a streaming provider keeping a history of songs you played. This data is personal data, but it is not personally identifiable data as this history alone cannot be used to identify a person. However, if this history has some kind of identifier attached that links back to account information or an IP address, that identifier would be PII, as this identifier could be used to indirectly identify a person.
Die dynamische IP-Adresse stellt für einen Webseitenbetreiber ein personenbezogenes Datum dar, denn der Webseitenbetreiber verfügt abstrakt über rechtliche Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].
Translated, best to my abilities:
The dynamic IP address is to a web site operator a piece of personally identifiable data, because the web site operator abstractly has legal means, which could be reasonably used, with the help of third parties, namely the the responsible authority and the internet service provider, to identify the person in question with the use of the stored IP address (BGH, ruling from the 16th of May 2017, VI ZR 135/13)[2]
[2] The BGH ruling quoted is the "Breyer" ruling again, just at the German national level instead of the EU level. The Bundesgerichtshof (BGH, highest German court of ordinary law) asked the European Court of Justice to settle the question of whether dynamic IP addresses are PII, which the ECJ affirmatively settled in [0].
This is a very interesting legal document, and I'll have to take the time to read it slowly before I can judge it.
It centers around this line:
... not PD for you, can become PD when you give it to someone else
and claims that, as this potentiality can always be fulfilled, you should consider it PD. This would invalidate the first part of the post, but is still not enough to make a default deploy of a logging http server illegal because of the 6.1(f) legitimate intrest rule. In fact, things like 21.1(b) might make it obligatory.
Now we are in lawyer 'interesting question' territory which costs a lot of money, and I still don't think you'll need to worry, because you're not violating the spirit of the law. Personally, I'll go on depending on 2.2(c)
It's not illegal to store such information in default logs per se, even without explicit consent, if it would fall into the "legitimate interest" category[0], e.g. you need it to operate the service and prevent abuse, and there is no less intrusive way to e.g. reasonably monitor for and prevent abuse.
However, you cannot share such logs without consent, you still have an obligation to inform users about your legitimate interest assessment and what data you store, and you still have to abide to other rights of users such as the right of users to ask for a copy of the data you store about them.
Gdpr.eu is not an official EU resource. There is no official guidance saying that IP address in logs falls under "legitimate interest" and every lawyer I asked advised against it "just to be on the safe side".
One actually added: Do you really want to test our government's understanding of "legitimate interest" for your business in court?
Yes, but I never claimed that they were. The text that I linked is a copy of the official GDPR text (and recitals), not an article they wrote on the topic. I used their website, because I find it more usable as they added cross-references links and recital links. But if you prefer, read the official EU version[0], which is the same in content and in words.
>There is no official guidance saying that IP address in logs falls under "legitimate interest"
I haven't said that. I said storing IPs in logs might be legal, if there is a legitimate interest and/or there is consent.
There are actually two official recitals straight up addressing that topic. Recital 47 states (in part):
"[...] The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." (This is not meant to be an exhaustive list)
Recital 49 states (in full):
"The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems."
These recitals were specifically added to address some points that had already been litigated in the past in various European courts.
>and every lawyer I asked advised against it "just to be on the safe side".
Good for your lawyers (that you keep mentioning all across threads). I don't know your lawyers, but they seem overly cautious - even for lawyers - and maybe a little bit under-educated on the subject matter. But they still have a point. You cannot just store access logs containing IP addresses, you have to have a legitimate interest, and be able to articulate this legitimate interest, and see if law makers and courts would consider your "interest" to be "legitimate". Which is easy when it comes to fraud detection and network security/abuse (thanks to the recitals), less easy when it comes to other areas, and pretty easy when it comes to different areas that are clearly against the text or spirit of the GDPR; e.g. nobody will buy an argument of "my legitimate interest is that I want to earn money from tracking and selling user data".
Of course this isn’t yet a perfect banning of GA and Google might be able to work around it, but it’s something. And in fact, anonymized statistics would probably be OK (depending on the details of course).