Incorrect. In the "Breyer" ruling[0] the highest European court concluded that dynamic IP addresses are PII (not just personal data, and not just data), as there is an abstract risk that combining IP addresses with other data can lead to identification of a user. The ruling explicitly said that the mere risk of such an identification is enough, not that such an identification has to actually happen.
Subsequent rulings by many courts have found that all IP addresses are PII, for various reasons, such as "static" IP addresses bear the same risk of indirect identification, and there is no reliable way to distinguish between "dynamic" and "static" addresses anyway.
The recent German ruling that Google Fonts violates the GDPR just by transmitting an IP to google (by making the web browser fetch a resource from a google server) hammered home this point, citing the EU ruling again[0].
This is different to e.g. of a streaming provider keeping a history of songs you played. This data is personal data, but it is not personally identifiable data as this history alone cannot be used to identify a person. However, if this history has some kind of identifier attached that links back to account information or an IP address, that identifier would be PII, as this identifier could be used to indirectly identify a person.
Die dynamische IP-Adresse stellt für einen Webseitenbetreiber ein personenbezogenes Datum dar, denn der Webseitenbetreiber verfügt abstrakt über rechtliche Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].
Translated, best to my abilities:
The dynamic IP address is to a web site operator a piece of personally identifiable data, because the web site operator abstractly has legal means, which could be reasonably used, with the help of third parties, namely the the responsible authority and the internet service provider, to identify the person in question with the use of the stored IP address (BGH, ruling from the 16th of May 2017, VI ZR 135/13)[2]
[2] The BGH ruling quoted is the "Breyer" ruling again, just at the German national level instead of the EU level. The Bundesgerichtshof (BGH, highest German court of ordinary law) asked the European Court of Justice to settle the question of whether dynamic IP addresses are PII, which the ECJ affirmatively settled in [0].
This is a very interesting legal document, and I'll have to take the time to read it slowly before I can judge it.
It centers around this line:
... not PD for you, can become PD when you give it to someone else
and claims that, as this potentiality can always be fulfilled, you should consider it PD. This would invalidate the first part of the post, but is still not enough to make a default deploy of a logging http server illegal because of the 6.1(f) legitimate intrest rule. In fact, things like 21.1(b) might make it obligatory.
Now we are in lawyer 'interesting question' territory which costs a lot of money, and I still don't think you'll need to worry, because you're not violating the spirit of the law. Personally, I'll go on depending on 2.2(c)
Subsequent rulings by many courts have found that all IP addresses are PII, for various reasons, such as "static" IP addresses bear the same risk of indirect identification, and there is no reliable way to distinguish between "dynamic" and "static" addresses anyway.
The recent German ruling that Google Fonts violates the GDPR just by transmitting an IP to google (by making the web browser fetch a resource from a google server) hammered home this point, citing the EU ruling again[0].
This is different to e.g. of a streaming provider keeping a history of songs you played. This data is personal data, but it is not personally identifiable data as this history alone cannot be used to identify a person. However, if this history has some kind of identifier attached that links back to account information or an IP address, that identifier would be PII, as this identifier could be used to indirectly identify a person.
[0] https://curia.europa.eu/juris/document/document.jsf;?text=&d...
[1] https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
Die dynamische IP-Adresse stellt für einen Webseitenbetreiber ein personenbezogenes Datum dar, denn der Webseitenbetreiber verfügt abstrakt über rechtliche Mittel, die vernünftigerweise eingesetzt werden könnten, um mithilfe Dritter, und zwar der zuständigen Behörde und des Internetzugangsanbieters, die betreffende Person anhand der gespeicherten IP-Adressen bestimmen zu lassen (BGH, Urteil vom 16.05.2017 - VI ZR 135/13)[2].
Translated, best to my abilities:
The dynamic IP address is to a web site operator a piece of personally identifiable data, because the web site operator abstractly has legal means, which could be reasonably used, with the help of third parties, namely the the responsible authority and the internet service provider, to identify the person in question with the use of the stored IP address (BGH, ruling from the 16th of May 2017, VI ZR 135/13)[2]
[2] The BGH ruling quoted is the "Breyer" ruling again, just at the German national level instead of the EU level. The Bundesgerichtshof (BGH, highest German court of ordinary law) asked the European Court of Justice to settle the question of whether dynamic IP addresses are PII, which the ECJ affirmatively settled in [0].