GDPR (sigh) and theme compliance


(Tomas Jakobs) #21

Sorry that’s misleading and not true: check http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN

IP addresses are personal data, as they allow identification past ISP boundaries even if they are assigned dynamically. The European Court of Justice has made that very clear. If the English think they want to do cherry picking again, go ahead though it doesn’t make your statement any more correct.

Much more interesting than IP addresses is the necessary to Opt-In with all 3rd parties and not like the Opt-Out practiced by Google so far. This means no externally-hosted fonts, maps, jQueries, Fontawesome etc. without prior permission. A strong jurisdiction to protect citizens from surveillance and to protect the infrastructure. Just imagine the impact of highjacked jQuery hosts or Git or even Google Fonts.


(Michael M.) #22

See last paragraph: Are Dynamic IP Addresses Personal Data?

I posted that link some weeks ago


(Phil Bird) #23

There is no need at all for such xenophobic attitudes to be displayed regarding this subject or any other on this forum for that matter. Generalising by nation in response to an individual is just wrong.


(George Peacock) #24

As I understand it - and I emphasis I am still find out things about this topic. The GDPR is all about opting in and and opting out of having your data shared.

I don’t think referencing a google font for instance comes within its remit - as mentioned in previous posts.

Thought this might help contribute with respect to cookies and web dev (cut and Paste) …
Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

For instance a month ago we were advising our clients that embedded youtube constituted an item that visitors should be able to opt out of as youtube holds preferences. However we now understand it that we can ignore these aspects for likes of youtube.
Another area was social network services like addthis.com We have used addthis with some client sites quite successfully. However addthis has a whole host of cookies and tracking and whilst, they themselves say, they respect privacy etc etc. We still feel we should allow web visitors to opt out of the whole host of cookies they use.

We thus need stacks like the stacks4stacks cookie manager that allow websites to include items according to what a visitor decides. Another third party service we like is cookiebiot. Its a bit over the top IMHO re compliance but if you have a client who is seriously concerned it offers a belt and braces approach and control.

Hope this has helped and thats to others for looking into this as well - a lot to learn here.
George


(Barrie McDermid) #25

Whilst this law should be taken seriously, it is a bit of a logistical nightmare. I’ve had many companies chasing me with email after email trying to get me to re-sign up for their lists, whereas some (including marketing companies whose business is sending marketing emails) are taking the view that existing mailing lists are fine as there has been the option to unsubscribe on previous emails.

My (limited) understanding is that GDPR is to protect EU citizens from data abuse from big companies like Google, Facebook etc.

If anyone goes to court over this, it is likely to be a big company who really are taking the mickey with data abuse.

If you have a small website for a local church and you use Google fonts, I would suggest you are probably shouldn’t worry too much.

I congratulate and thank all of the developers who are working really hard (in most cases unrewarded) with their updates. I personally really appreciate it and I suspect I am not alone in this.


(Martyn Coles) #26

I totally agree with your thoughts here Barry. As an absolute amateur with no coding knowledge or any idea how to make my single (favour for a friend) non-commercial website completely GDPR compliant or even if it needs to be. I shall muddle along and make fixes as I understand them. In the mean-time, as I believe there will be different layers of sanctions from the “GDPR police” starting with advice, If I were to be contacted about GDPR and given said advice I would re-evaluate wether it would be worth my while keeping the website up or not. I’m not even sure if it is down to me or the friend who requested the website who would be responsible for GDPR compliance.

I concur with your words about developers, without them I feel many would flounder.


(Simon) #27

The case you cite (Mr Breyer vs the Bundesrepublik Deutschland), demonstrates exactly that IPs are not personal data on their own. The ruling by the second court substantiates this (as it did with the first court). They specifically mentioned service providers who not only have the IP address, but additional data and therefore the additional data allows them to identify Mr Breyer via his IP hence in this case it is personal data. But they also ruled that where Mr Breyer had browsed German institutions and had not identified himself the IP was not classed as personal data. This court ruling does not give a blanket ruling that IP’s are personal data, but that some IPs (ie one’s with service providers) can be personal information where there is additional data to identify the individual or websites where you have identified yourself to the website.

This aside it asks the question how you can identify an individual by their IP without other data? This is not possible. The ruling is clear the personal data is data that identifies a person. Just throwing out a blanket statement to say IPs are personal data is not helpful nor true.

I know this has dragged on, but I’m concerned about the enormous task developers will go to when it is completely unnecessary.

Perhaps it would be helpful to change the focus from IPs to look at the actual definition of personal data as this will better help determine if you need to change something on your website. The GDPR states:

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/)

The key point is that anything that can identify a person is personal data. So you need to look through your website and see what you are processing that would identify an individual. Remember this concerns the data that you are processing. You are not responsible if another website obtains data from your website and other websites and then puts it together to form personal information, they are responsible for this data since they are processing it. You are only responsible for what you are processing.


(Simon) #28

This is not the court case and as I mentioned earlier does not make a blanket statement that IPs are personal data.


(Michael M.) #29

Believe me. In Germany it will be seen as personal data. Maybe not in the UK. It makes no sense to ignore this fact


(Simon) #30

In a court of law it does not matter how it is seen, what matters is what can be proved. If the prosecutor cannot explicitly prove that something is personal data by showing how an individual is identified by data being processed they will not even attempt to take it to court and this is not just IP addresses.

I really do not wish to have an argument or upset anyone. As I deal with churches and charities who don’t have the finance to hire legal teams, I have attended a specific seminar on GDPR and also had extended telephone conversations with the information Commissioners Office (ICO) to help those I advise. So far no explicit evidence has surfaced regarding IP addresses. The clearest is that in some situations they will be personal information depending on what other information is processed alongside it and in other situations they will not be personal information as no one can be identified.

The only thing I am trying to mitigate here is the creation of panic for developers when there is no reason to panic. I appreciate that the interpretation of the GDPR is far from harmonious and that the web is awash with scaremongering, but I would advise anyone looking to implement GDPR, to ensure that they have looked through the very helpful ICO website and call them where you have any issues of doubt, they are extremely helpful. I would also encourage that you don’t get fixated with IP addresses, but look at the broader issue which is personal information. This in the end will lead you to more helpful decisions in what changes you need to make.

The question I keep asking when creating websites is: “Who can be identified by this data?” If the answer is no one it does not fall under the GDPR, but if I can prove a specific individual is identifiable by the information I am processing it does fall under GDPR.

The ICO website is here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Their contact details are here: https://ico.org.uk/global/contact-us/
My phone calls last week had about a 30-40min wait so it might be an idea to list your questions.

I’m assuming that other EU member states have similar language specific websites and contact information.


(Jannis from inStacks Software) #31

As you are not familiar with German law, we are not with UK law. We should stop discussing the GDPR in its general rules, but speak about the specific laws in the different memeber states, best in several threads.

Mixing the laws of the different states doesn’t help other members of this forum.

And: in Germany, the IP address is in its own personal data. The German DSGVO law is more strict than the GDPR rules.


(Simon) #32

Could you please send a link where this is mentioned as I do maintain a german website.


(Doobox Software) #33

Just to make a point of how nonsensical this whole IP address debate is…
The moment someone visits your website you have their IP address, no matter if you think you removed all the CDN’s, and took other actions to ensure not collect or have another third party collect their IP, you already have it.
It’s readily available from within your host server control panel.
No acceptance messages on the visitor’s arrival is going to stop the collection of that IP even if rejected.


(Michael M.) #34

“Daher ist es konsequent, dynamische IP-Adressen generell als personenbeziehbare Daten den Regelungen des Datenschutzrechts zu unterwerfen.”

What means: It is therefore consistent to generally subject dynamic IP addresses as personal data to the regulations of data protection law.

It’s from the Landesbeauftragte für den Datenschutz Niedersachsen, so you can see this as an official statement


(Simon) #35

Thanks Michael, I read the article. The article from Niedersachsen does not change the fact. They are encouraging people to view dynamic IPs as personal data, but admit that if a person cannot be identified through other sources of information such as giving their identity the IP does not fall under personal information.

I can understand the caution in Germany as there are quite a number of groups checking websites to see if they can litigate, but the law even in Germany (I’ve looked through the DSGVO website which is a mirror of the UK GDPR) does not state that IP addresses are personal data. It all depends on whether a person is identifiable.


(Simon) #36

I agree.

I have yet to see anyone show how they can obtain the identity of an individual through the IP alone. It simply is not possible. Even if you had the name of the person who owned the device that the IP is being used on, that still doesn’t guarantee that that individual was using the device. My computer is used by four people.

This is why there is no legislation that makes IP addresses personal data per se, but only states that IP addresses could be personal information if other data is included that identifies the individual.


(Stuart Marshall) #37

I’ve just been testing out a Matomo analytics installation on my site and noticed during set up that, as default, they ‘anonymise the last byte(s) of visitor’s ip addresses to comply with your local privacy laws / guidelines’. The guide text that they have along side this says:

When users visit your website, Matomo will not use the full IP address (such as 213.34.51.91) but instead Matomo will anonymise it first (to 213.34.0.0). IP address anonymisation is one of the requirements set by the privacy laws in some countries such as Germany.

(Also, thanks to @NeilUK for mentioning Matomo in another post. Looks like a good tool with extensive options around privacy etc.)


(Jannis from inStacks Software) #38

Therefore, you have to create a contact with your hosting company to ensure this all is taken care of. Again, this is how we have to do it in Germany :wink:


(Doobox Software) #39

So you can kiss bye bye to PHP error logs as well then.
And without server logs, there’s no user blocking or prevention of brute force attacks and a bunch of other stuff that your host already needs the server logs to accomplish. Sure you can shut them off entirely if you wish.


(Simon) #40

That’s why there is no legislation currently in the EU that states that IPs are personal information. For all the comments on this thread, no one has yet provided a solid link to governmental legislation to any EU nation stating such. There is a reason for this. All EU nations signing up to GDPR have the same definition for personal information, that is, it must be able to identify a person. Also, no one has shown how it is possible to identify an individual using only the IP address. It simply is not possible.

Therefore, you can safely leave your logs alone unless you are supplying additional data that would allow an individual to be identified alongside the IP address.