[BlueOnyx:22110] Re: Attn. German BlueOnyx users: DSGVO update (again!)

Ken Hohhof khohhof at kwom.com
Fri May 25 07:56:41 -05 2018 

Thanks for the link to the article.

I find it strange that someone visits my website, using an IP address from an ISP's allocated IP address space, and hypothetically I could through lawful means compel the ISP to reveal to  me account details like name and address of the ISP customer corresponding to that IP address at the time of the website visit.  And is the court worried that I can obtain those details, which are surely personal data?  No, the court is worried that I retain a logfile showing what IP address visited my website.

Not sure if it mattered that the website in the court case was a government website.

Also I am in the US, and here the most likely reason for serving an ISP with a court order to obtain customer account details corresponding to an IP address would be some sort of criminal activity like trafficking in child porn, soliciting minors online for sex, plotting a terrorist act, ....  And the entity wanting the information would be law enforcement.  I guess everybody has stuff like Facebook and Cambridge Analytica on the brain now, rather than kiddie porn or terrorists.  Or copyright trolls and bootleg music, that's ancient history.

Germany seems to be an outlier in all this, I saw an article recently about Facebook "deletion centers" in Germany, with the largest one in Berlin employing over 1,200 "content moderators".

https://www.nytimes.com/2018/05/19/technology/facebook-deletion-center-germany.html

Having "deletion centers" seems very  Orwellian.  I'm not sure which is more disturbing, the fact that we have government mandated deletion centers, or that social media has so much objectionable content that we need deletion centers.

I've got to go now, the Ministry of Truth is contacting me on the Telescreen.


-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael Stauber
Sent: Thursday, May 24, 2018 9:58 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:22109] Re: Attn. German BlueOnyx users: DSGVO update (again!)

Hi Ken,

> If website logfiles are to be purged after 7 or 14 days, are you 
> allowed to keep website analytics as long as they are anonymous, i.e. 
> divorced from visitor identification like IP addresses?  I'm talking 
> about counts of pageviews and unique visitors, top referrers and entry 
> pages, browsers, etc.

I am no lawyer, so I can only tell you what I *think* the law means and would ask you to get the solid facts from an GDPR expert or lawyer.

It is my impression that it's fine to keep anonymized website analytic data that has been sanitized of parts of the visitors IP. However: The thing here is that the degree of anonymization is debatable. Is it enough to strip the last octet off an IPv4 address? And the last segment of an IPv6 IP? Or does it need to more than that?

>From what I read into the German implementation of the law this whole thing is such a vague and ambiguous shit-show that it will keep lawyers and courts well fed for the next 10-15 years.

> (Still not sure why an IP address is considered personal or private 
> information.)

That was established in the Court of Justice of the European Union (the
"CJEU") in the ruling of Case 582/14 – Patrick Breyer v Germany.

See:
https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

The full court ruling can be found here:

http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list