IP address is personal data

I saw this article in my LinkedIn feed (Sebnem Erener) voiced her opinion on this.

IP address IS personal data. Identification does not only mean the name, address, location of a person but also potential identifiability, linkability and inference. Any information that is useful in tandem with other data points to identify individuals is personal data. Account must be given to all the means likely reasonably to be used for identification, paying attention to the current state of technology. In other words, if it would not take disproportionate effort to (re)identify a person it is personal data and must be protected, including IP addresses. This is not only based on the interpretation of the GDPR but has been established by ISO, Article 29 WP and ECJ previously.

Just to give my 2-cents to Sebnem’s LinkedIn post. Outside of the technical side, given that 20 years of my career have been in IT and security, I understand why he thinks how he does, but he is nonetheless wrong!

Take just 2 of his arguments of why the IP address is not personal data in his ‘non-so-humble’ opinion 😉

According to the article: An IP address is not personal to an individual. It is a shared piece of data. Some might argue that you can use IP addresses for tracking and targeting, but the truth is, they really are only useful in tandem with other data points.

Sorry but personal data is any data linked directly or indirectly to a natural person. See the linkability mentioned in Sebnem’s post.

Then we move on to another argument:

According to the article: Article 17 of GDPR, the Right to Erasure (“right to be forgotten”), states that anyone in the EU can request that a website delete all of their personal data, including records that correspond to their IP address………Why would someone need an IP address “forgotten?” 

Clearly the author is oblivious to the fact that the data subject does not have an ‘absolute right’ neither the concept of ‘legitimate interest’.


Swedish utgivningsbevis is still in force

It has been interesting watching the action now being made to claim the rights of the data subject as stipulated in the GDPR. On average there seems to be for the larger businesses around 10 SARs requests, although, to say on average is not correct in that we are only one month into the aftermath of the GDPR 🙂

I was delighted to see Lucas Khan in action, claiming to have his personal data removed from public sources in Sweden which is the product of something called an utgivningsbevis issued in the name of freedom of speech. I wrote loads on this since already, and its great to have some company 🙂

btw. this will be fixed with the e-Privacy Regulation. I’ll dig out the quote later in another post.

Some of the posts:

Personal data is still PUBLIC in Sweden!

Personal data still public and for sale in Sweden!

Sweden is going to have fun with the new Data Protection Regulation

Ratsit is so kind as to remove sensitive data from public eyes

There is more. Just search 🙂

Personal data is still PUBLIC in Sweden!

It seems that the clash on freedom of information and the GDPR in Sweden has finally hit mainstream knowledge.

Sweden’s open society is clashing with EU privacy law, and regulators are frustrated

While the General Data Protection Regulation will this week come into effect across the European Union, some companies in Sweden have nothing to fear — for now at least — thanks to a peculiarity of Swedish free-expression law.


If you want some background reading on the problem, here is some stuff I posted in 2014-2015.



Swedish SA likes its GDPR teeth!

I took a beautiful long lunch with a client today, DPO lady in insurance sector, on an island outside of Stockholm. It was really a cool conversation when we discussed the latest. It seems that the Swedish SA (Datainspektion) graced with a new set of teeth is set on using them!

“Datainspektionen startar nu sin första granskning enligt den nya dataskyddslagen GDPR. 80 myndigheter, företag och organisationer mĂ„ste visa att man utsett de dataskyddsombud som lagen krĂ€ver.”


After a long and frustrating journey for the Datainspektion under the old DPA, it was very cool to see that they are GDPR energised into serious action 🙂



I received this tip from one of our clients last week. It is a GDPR sleep aid in the App Calm, for those of you that use it. I use it normally for Mindfulness.

Now, last night I tested it, and it works! They have a great commentator which reads out the GDPR text, well not all, but I was asleep before he had finished 😮 which was quite awesome.

More on the initiative can be found here 🙂


Personal data still public and for sale in Sweden!

Copied from dataskydd.net.

Flera stora myndigheter har personuppgiftsförsÀljning som affÀrsmodell. Det gör att finansieringen av myndigheternas verksamhet och personalbehov knutits till förmÄgan att sÀlja inflytande över individers liv och identiteter till utomstÄende. Skatteverkets SPAR-register ger svenska privatpersoner sÀmre kontroll över vem som pÄverkar dem Àn vad Google, en av vÀrldens frÀmsta datainsamlare, gör.

Sedan slutet av 1980-talet har svenska lagstiftare skapat ett mĂ„ngfaldigt och spretigt skydd för individers rĂ€ttigheter som sĂ€rreglerar varje myndigheter. Dessa lagar kallas “registerförfattningarna” och det tog regeringen hela fyra Ă„r, mellan 2011 och 2015, att göra en nĂ„gorlunda fullstĂ€ndig översikt.1 Regeringens arbete Ă€r fortfarande inte slut,2 och det pĂ„gĂ„ende arbetet verkar riktat mot att bevara spretigheten .3

EU:s dataskyddspaket Àr en kulturkrock för det svenska myndighetsvÀsendet. Dataskyddspaketet sÀtter individens egen förmÄga att utöva sina rÀttigheter i centrum, medan svenska registerförfattningar utgÄr frÄn att lagstiftare och myndigheter ska utöva rÀttigheterna Ät individen. Dataskyddspaketet utgÄr frÄn att kunskap om en individ Àr makt över en individ, och att makten ska utgÄ frÄn individens eget samtycke. Datahanteringen pÄ svenska myndigheter utgÄr frÄn att kunskap om individen frÀmst Àr ett verktyg för myndigheten att bedriva sin verksamhet.

Did we accidentally uninscribe you?

I love the GDPR. Whether correct or not, missing the ‘soft opt-in’, I love my new mailbox after the 25th. By default I did not opt-in, all that shit has disappeared, and today I received an email ‘did we accidentally uninscribe you’. Just to be sure that I really didn’t want to opt-in. Okay I would prefer not to receive anything, but I guess, hope this is the last I hear from them, and from them all 🙂

EAGLE - 01

Life after 25th May feels like harmony! Privacy by Design in practice, i.e. the user shouldn’t need to do anything to protect their privacy, privacy by default! And these principles have been around since the 1990s!