You appear to be suggesting that "intent" defines the shape of law here, but I really don't think that's the case.

By my reading, information becomes personal —and therefore subject to GDPR— when it can be used to identify people. If you've got login timestamps, IP addresses and user records, for legitimate reasons, any other logging that includes IPs is tainted because it takes anybody with that data two minutes to munge them together.

Intent, and actual business use-case play second fiddle to the worst-case, or "what could that data be used for?".

Worst case usage determines what information is subject to GDPR, but actual business use-case is what determines what data you are allowed to collect.

IP addresses are subject to GDPR, but that just means that you have to have either a legitimate business need for keeping them or to have the user's consent to keep them and you need to disclose to the user that you are keeping them and for how long.

You probably do have a legitimate need to keep IP address logs for some period of time to allow troubleshooting and possibly for a longer period of time to allow for fraud detection. As long as you are disclosing to the user that you are collecting that information and are abiding by the retention period that you are disclosing to users, then you will be allowed to collect logs of IP addresses.

Your intention and how you actually use the data are critical to an entity's compliance with the GDPR. If I am only using IP addresses for legitimate purposes of monitoring/protecting my network then that is very different to using IP addresses to assist in my tracking of users for advertising purposes for example.

The classification of data of personal data is likely beyond dispute but you are then under obligations on how you actually make use of that data.

Entities should have in place relevant protective measures to ensure that if you have only collected data for a limited purpose, it should not be used for purposes beyond that.

In my experience of having lived all my life in the EU and mostly in 3 countries of the union, all law enforcement here is about intent, unlike the US for instance (as far as I read online ofcourse, like the Nintendo copyright case linked here a week ago). Copyright, drugs, bankrupting your company etc, judges look at intent not literally what the law says. So this will not be different. Nothing will change if you are not trying to actually go against what the law intents to protect.

Mens rea (i.e. intent) is part of common law criminality (along with actus reus, which is the actual doing of something illegal). The United States, having its legal system derived from that of England’s (and thus being a common law legal system), absolutely requires intent when considering whether or not someone or some organization has committed a crime.

I’m not familiar with the referenced Nintendo case, but mens rea is usually only considered in criminal cases. Unless you’re prosecuting someone for illegally downloading copyrighted material or some such thing, intent wouldn’t be considered (it can increase liability in civil cases, though).

Now that you mention it; I do see it in crime shows. But the case I mentioned was about if a Nintendo modchip could be used for good or only for evil according to the EU while the US court just yelled copyright infringement and put some hacker in jail. Those are the cases we read about in the press over here and most people find it ridiculous over here to go to jail (aka ruin lives) over something as small as copyright infringement. Courts agree as they usually mostly slap on a fine based on the intent.

And it even gets more interesting: The question is not if you can identify a user by merging your different data sets. The question is if you can identify a user if you merge one of your data sets with any other data set, even if this set is currently not in your possession. (This can happen if the provider is able to mach IP addresses to personal information.)

Intent comes into play when you determine the appropriate processing basis; for eg preventing abuse, the basis isn't consent and therefore consent is not required. So GP is partially wrong. If your intent is to use the data for marketing purposes, then you are much more likely to require consent. See LI balancing tests.

>"Previously it was an ethically grey area to be logging IP addresses anyway."

wat.

Standard log formats capture IP, and have ~forever. Who claims this is an ethical quandary?

I won‘t address „ethical“, but collecting full IP addresses has been discussed as possibly illegal in Germany for years now.

And since the recent European court decision, I suppose it is settled: yes, illegal.

What's a 'not full' IP address?

Holy shit what.

IP logging is not ethically ambiguous in any way. It's 100% okay. You chose to connect to that IP. If you don't want your IP logged don't send an IP packet to that address. It's very simple.

This is beyond ridiculous. The entitlement I see here is cancerous in the literal sense.

Holy shit can't you read up before complaining without knowing the details? There is the exception that you may use and store data that is necessary for providing the service. Thus, since ip is necessary for talking to a server, you don't need to explicitly ask for consent. However you MUST NOT do anything else with that IP, like logging it for longer than necessary or tracking users across sites (without consent).

Why do you need to log ip? To prevent abuse? That's ok. For how long? That's up do you to decide, but it must be motivated and documented.

What's so hard to understand? How is this not perfectly reasonable already? Why are you entitled to not respect other's personal data?

You knock on my door and I write down that you visited me.

Why is it somehow reasonable to compel me to forget that interaction existed?

Because 1) your analogy is off. People forget, a machine does not 2) GDPR is about privacy; tracking people's behaviour, linking things together without explicit consent is not allowed according to GDPR.

1. If I am writing it down, as my analogy suggests, it is not forgotten.

2. I understand what it's about.

If you want to make tracking people and linking things together illegal, great.

However, my argument in response to the OP intended to illustrate that recording information about someones actions, particularly when it's a party who is part of the interaction creating the recording, does not seem to have some preexisting moral expectation or attached to it.

Hence, to me at least, the GDPR's directives are not objectively reasonable or obvious in some way as suggested by the OP.

I also think forbidding certain uses of the data is more reasonable than to regulate its collection and storage. But yes, that's probably riskier and harder to enforce.

It's ok to take a picture of the street out of your front window

It's not ok to take a picture of everyone that walks in front of your house, timestamped and on top of that you search their picture on Facebook (supposing you could do that) and keep all that info forever

> It's not ok to take a picture of everyone that walks in front of your house, timestamped and on top of that you search their picture on Facebook (supposing you could do that) and keep all that info forever

Why not? It's certainly not obvious why this is the case.

I guess that's a fair question. Two reasons come to mind:

1. If the by-passers where to discover what you've done they might feel violated. This is why there are laws against stalking. Thus in this example it would be all about intent.

2. What if your database leaks? Have you considered that event, the probability of it happening, and the impact? How can you minimize the risk? Is it encrypted? How long do you need to store it for? Can it be anonymized? Do you even need to look up name? Is the potential privacy intrusion proportional to the purpose of collecting the data?

To be GDPR-compliant you must have answered all those questions and documented it.

The EU is very consumer protection focused, which is very different from the US. It's just a point of view I don't see how you can perceive it as entitlement. Not everyone knows how privacy works and how much data is available by not using a VPN.

Keeping a log of visitors to your own computing resources is an ethical grey area since when? IP Addresses themselves are most useful for deanonymization/violating privacy when shared across organizations, or converted to accounts from ISPs. Why does GDPR target the storage of them and not the sharing or conversion of this type of data?

One other interesting thing to keep in mind is that GDPR does not exempt public, government organisations. It will be interesting to see what happens with that, if anything.