[BlueOnyx:22109] Re: Attn. German BlueOnyx users: DSGVO update (again!)

[Michael Stauber]

Hi Ken,

> If website logfiles are to be purged after 7 or 14 days, 
> are you allowed to keep website analytics as long as they are
> anonymous, i.e. divorced from visitor identification like IP
> addresses?  I'm talking about counts of pageviews and unique visitors,
> top referrers and entry pages, browsers, etc.

I am no lawyer, so I can only tell you what I *think* the law means and
would ask you to get the solid facts from an GDPR expert or lawyer.

It is my impression that it's fine to keep anonymized website analytic
data that has been sanitized of parts of the visitors IP. However: The
thing here is that the degree of anonymization is debatable. Is it
enough to strip the last octet off an IPv4 address? And the last segment
of an IPv6 IP? Or does it need to more than that?

>From what I read into the German implementation of the law this whole
thing is such a vague and ambiguous shit-show that it will keep lawyers
and courts well fed for the next 10-15 years.

> (Still not sure why an IP address is considered personal or private information.)

That was established in the Court of Justice of the European Union (the
"CJEU") in the ruling of Case 582/14 – Patrick Breyer v Germany.

See:
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

The full court ruling can be found here:

http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1

-- 
With best regards

Michael Stauber