> 1. The core concept in GDPR, personal data, is defined sloppily: "data relating to an identifiable natural person". It doesn't work because "relating to" is a hand-wave. Your name is obviously personal data, but (according to mainstream legal interpretation) so are IP addresses, despite the fact that people do not have IP addresses, network interfaces do.
No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
> 2. Personal data is not defined in terms of the context in which it appears, which is crucially important. If I have the text "John Smith" in a database in a column called "name" and it actually relates to a person called "John Smith", that's clearly personal data. But what if someone uses my platform to spin up a VM with the hostname "johnsmith" - is that personal data? According to my lawyers, the answer is "maybe". I know lawyers have a tendency to be like that, but the law itself shouldn't leave the question open.
Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
3. The construction of the law is poorly thought-out and leads to silly contradictions, e.g. if you have someone's personal data and you are told to stop processing it, you must stop processing it. But storage, erasure and transmission are all classed as processing, and it's logically impossible not to do at least one of these things.
> No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
Nope, the scenario is which this came up for me was about keeping IP addresses in a blacklist in a firewall. No logs or linking or anything.
> Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
If it's my job to obtain individuals' consent to process their personal data in contexts where they have no business putting personal data, the law is poorly-designed.
Thanks for the info and links, that's genuinely useful. For the record I know my example isn't a watertight logical gotcha; it's an example of how GDPR's language is (IMHO) imprecise and unhelpful.
No, it's not, unless you have logs or database records that links the IP address to a person (such as a login from that IP). And I bet you do, that's why it bothers you.
> 2. Personal data is not defined in terms of the context in which it appears, which is crucially important. If I have the text "John Smith" in a database in a column called "name" and it actually relates to a person called "John Smith", that's clearly personal data. But what if someone uses my platform to spin up a VM with the hostname "johnsmith" - is that personal data? According to my lawyers, the answer is "maybe". I know lawyers have a tendency to be like that, but the law itself shouldn't leave the question open.
Users can leave data that identifies them in various places. Sometimes they do it intentionally, sometimes not. It's your job to warn them and obtain consent.
3. The construction of the law is poorly thought-out and leads to silly contradictions, e.g. if you have someone's personal data and you are told to stop processing it, you must stop processing it. But storage, erasure and transmission are all classed as processing, and it's logically impossible not to do at least one of these things.
In this case, removing data is a legal obligation you have. Processing data (by deleting it) to obey law is one of the exceptions in GDPR (art.6/1./c, and also art.17/3./b). https://gdpr-info.eu/art-6-gdpr/ https://gdpr-info.eu/art-17-gdpr/