No way to get an exact number or comparative ratio, but most users don't need static IP addresses. ISP networks use dynamic IP address for their customer accounts.

Hi keyplyr so having a list of dynamic IP addresses in some logs, and no further identifying information does not really constitute personal identifiable information for the sake of GDPR.

If the visitor interacts with the site, sending a message by a form for example, that secondary piece of information could tie the IP address used for that session with the identifiable person who filled in the form. But the next time they visit they would likely have a new IP address?

Not necessarily. some connections can stay live for weeks or months on end, depending on how the isp is set up and how long the users computer is connected.

AFAIK the GDPR does not consider normal server logs that record IP address activity as "collecting information" about users, regardless of whether the IP address is static or dynamic.

This is a matter of interpretation ( which is often the case ).

If I don't make mistake, a lawsuit in Germany lead to the conclusion that an IP address IS a personal information. So now, this is an argument which can be reused by lawyers.

Since server logs are recording data, this is a collection of data.

So if you put the two together, server log is collecting personal information.

Now, you can consider the risk of getting into troubles to be low, but the risk exists.

Hi TravisDGarrett yes my understanding is that GDPR rates IP addresses as personal information.

Indeed, recital 30 says:

"Online identifiers for profiling and identification*

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

The other issue with server log, and IP is that , you are collecting this information without the visitor explicit consent. Which is also something to take in consideration.

And "Art. 4 GDPR Definitions

1 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

I suppose information that IP address 123 had been browsing the website of Joe's Blue Widgets for 10 minutes on a Tuesday, isn't really sensitive information.

Now keep in mind that, even if the EU might sounds very picky sometimes, I guess (only a guess) that in case of a control, you can argue your situation, and agents controlling you can evaluate if you stick with the state of mind of the law, or not.

For example, if you record the IP address of 123, just for anonymous statistic purpose (knowing how many unique visitors, how many pages view per visit, etc...), I think this is something which can be legitimate and shouldn't cause issue. But in that case, once the stats for the day are computed, you no longer need the IP.

But, if you sell/transmit this information, to another company , which might exploit it to profile the individual behind 123, that is a problematic.

Same if your server is hacked and the logs exposed, or exploited, this can be a problem too. Let's say 123 is static IP, if the logs are publicly exposed then anyone can know that 123 was visiting Joe's site on Tuesday, which can have other consequences.

Keep in mind that the GDPR makes you liable for the use of the data you collected, even by others.

Also not everybody can identify an individual behind an IP address, but sometimes, only the reverse of the IP is delivering tons of information. Like the city.

I know I am paranoiac :-)

I don't think it is paranoia TravisDGarrett, a lot of people are going to great lengths to comply with the GDPR, and this IP address and log files, or for that matter Google Analytics issue I haven't seen discussed so much. And there is not so much time left before GDPR goes live.

And there is not so much time left before GDPR goes live.

Indeed. The law was voted in 2016, so since two years, I've been thinking and working a lot about all of it. I might be a bit excessive in my approach, but I am tying to do things right and the best as I can :-)

As I said above:

...the GDPR does not consider normal server logs that record IP address activity as "collecting information" about users

If the GDPR did consider that a privacy violation, every server on the internet would be at fault.

the GDPR does not consider normal server logs that record IP address activity as "collecting information" about users

Do you have a link to a source?

every server on the internet would be at fault.

According to the EU, all European sites are at fault about the cookie consent, since the consent has to be granted before dropping a cookie.

I read once an article about the French's CNIL. Their interpretation of the GDPR was that server logs were considered part of the data collection process.

Related discussions:

[webmasterworld.com...]

[webmasterworld.com...]

I meant from authoritative or legal sources.

This is not authoritative either but for example : [ctrl.blog...]

The default configuration of popular web servers including Apache Web Server and NGINX collect and store at least two of the following three types of logs:

Access logs
Error logs (including processing-language logs like PHP)
Security audit logs (e.g. ModSecurity)

All of these logs contains personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. The logs can also contain usernames if your web service use them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).

If you don’t have a legitimate need to store these logs you should disable logging in your web server. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information for from the persons you’re storing information about. The less customer information you store the lower the risk to your organization.

Interesting blog TravisDGarrett ..

So if IP addresses are Personal Identifiable Information, under GDPR, does that mean we have to present new website visitors with a consent form, (like the cookie consent form?) to get their consent to record their IP address in our logs. And we may have to record that consent, unless we ban anyone that does not consent!

It is a bit odd because if they don't share their IP address we don't know where to send the files they have requested!

In the most extreme enforcement scenario, the EU's new law may end up forcing servers to not keep logs containing IP addresses, but I don't think that will happen.

Right now there's just unsubstantiated conjecture what the GDPR will end up inforcing.

If I don't make mistake the GDPR is about the "storing/saving" and "sharing" of private information. If you log an IP , you save it beyond the connection itself.

In your example, yes, the server needs to know the IP address with which it is communicating, but once the file is sent, the IP is no longer needed.

Now, the question is why do you need to keep this IP address of a visitor.

I don't think this is a big deal if this is only for access.log file, that Apache, Nginx, etc... is writing. But, for example, if you use this access.log to profile visitors, like for example, analyzing which pages a given visitor has requested, then it might be against the GDPR (if you didn't receive he consent of the visitor to do it). Or, if your access.log is leaked, then again, it might be a problem regarding to the GDPR, because these information can be exploited by others, for all kind of purpose.

But keyplyr the law was enacted in 2016 and comes into force May 2018 - less than 100 days away.
It is getting pretty late for conjecture! :-) Surely we should know by now.

I think the the GDPR has two goals, (compared to previous directives/laws)

- to make companies aware of their responsibilities, toward the data they are collecting and manipulating. Lot of companies are collecting data, without really being aware of all the implications and consequences. The fear of a huge fine, is forcing companies to think about it, and audit their data and process, and improve it, (A random example, I still see professional sites where, when you forget your password, they can send it to you by e-mail! It means that they keep your password in plain text in their database, and they mail it at the risk of an interception).

- to give a legal frame, in case of legal actions, European citizens will more easily be able to obtain that companies (and mostly Internet giants) to stop exploiting their personal information for anything.

It is getting pretty late for conjecture! :-) Surely we should know by now.

That's what I'm saying. All these opinions are only that... opinions. The only facts are what is in the GDPR itself.

What we are waiting to see is how strictly it will end up being enforced.

Well Article 4 is pretty clear: "an online identifier " is personal data.

Article 4
Definitions
For the purposes of this Regulation:
(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Which suggests we have to decide if consent or legitimate interests are a reasonable way of processing, that is if we don't want to give up the benefits of logging website access and analytics. Or don't want to anonymise these activities.

A lot of this is cart before the horse. I suspect there will be some challenges in the future if there is any over-reach.

I suspect some websites will put up a banner to new visitors asking their consent to processing IP addresses, and if that is denied, preventing visitors from entering the website. This would be the consent argument.

The other possibility is a statement in their privacy policy about what they do with IP addresses, how long they are kept, who they are shared with etc - this would be the legitimate interest defence!

I am not sure that lot of a websites owners, are as picky as "us" about he GDRP.

Now, about your second point, in all events, our privacy policy needs to be clear and precise about everything which is collected, stored and processed. And the use of these data, even if barely no one is reading it.

Another point of the GDRP is that privacy policy / terms of service have to be simple, and not stuffed with tons of hard to read sentences and words :-)

Enforcement date: 25 May 2018 - at which time those organizations in non-compliance may face heavy fines.

[eugdpr.org...]