IP address is personal data

I saw this article in my LinkedIn feed (Sebnem Erener) voiced her opinion on this.

IP address IS personal data. Identification does not only mean the name, address, location of a person but also potential identifiability, linkability and inference. Any information that is useful in tandem with other data points to identify individuals is personal data. Account must be given to all the means likely reasonably to be used for identification, paying attention to the current state of technology. In other words, if it would not take disproportionate effort to (re)identify a person it is personal data and must be protected, including IP addresses. This is not only based on the interpretation of the GDPR but has been established by ISO, Article 29 WP and ECJ previously.

Just to give my 2-cents to Sebnem’s LinkedIn post. Outside of the technical side, given that 20 years of my career have been in IT and security, I understand why he thinks how he does, but he is nonetheless wrong!

Take just 2 of his arguments of why the IP address is not personal data in his ‘non-so-humble’ opinion 😉

According to the article: An IP address is not personal to an individual. It is a shared piece of data. Some might argue that you can use IP addresses for tracking and targeting, but the truth is, they really are only useful in tandem with other data points.

Sorry but personal data is any data linked directly or indirectly to a natural person. See the linkability mentioned in Sebnem’s post.

Then we move on to another argument:

According to the article: Article 17 of GDPR, the Right to Erasure (“right to be forgotten”), states that anyone in the EU can request that a website delete all of their personal data, including records that correspond to their IP address………Why would someone need an IP address “forgotten?” 

Clearly the author is oblivious to the fact that the data subject does not have an ‘absolute right’ neither the concept of ‘legitimate interest’.


2 Replies to “IP address is personal data”

  1. Thanks for your hard work and all others working towards protecting information that should be privat or locked by the government agencies in Sweden.
    To bad Sweden more or less is an anomaly when it comes to protecting their citizens personal information, which is also part of the basic human rights, from being used and abused by anyone, including the tax office (Skatteverket). Sweden is overal a great country, but it has zero preparedness against anything, which is quite worrying. Let’s hope this ePrivacy Regulation will be implemented real soon.

    1. I agree with you Mats. I love Sweden too, and I expect this anomaly to be fixed with the ePrivacy Regulation. In fact, the wording almost looks as though it’s been written especially for Sweden 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.