29

Countless websites are served by webserver software (Apache, nginx, etc.) which logs the source IP address of every web page visit. The GDPR considers an IP address "personal data" that is subject to the GDPR. The GDPR requires consent of the subject for collection or storage of personal data (in this case, IP addresses in a log file). How is a website owner supposed to acquire consent by way of the website if the very act of visiting the website page to acquire consent records the "personal data" about which consent is being granted?

Obviously, the option is available to website owners to configure their webservers not to log IP addresses, but that has security implications. Do these security concerns suffice to absolve a website owner from requiring consent to log IP addresses? Is a prominent notice (on every page, until dismissed) sufficient?

How is the GDPR supposed to be interpreted with respect to the extremely common and prevalant practice of IP address logging?

(I have read Would GDPR affect my own personal website? and the answers at the time of this writing are not sufficiently satisfactory. Article 6, paragraph 1 does not make the question of automatic IP address logging without explicit consent clearly acceptable or not. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN )

bdb484
  • 66,944
  • 4
  • 146
  • 214
Pistos
  • 393
  • 1
  • 3
  • 6

2 Answers2

30

In the question, you write:

The GDPR requires consent of the subject for collection or storage of personal data (in this case, IP addresses in a log file).

No, it does not.

To quote Miss Infogeek:
GDPR DOES NOT MAKE CONSENT A MANDATORY REQUIREMENT FOR ALL PROCESSING OF PERSONAL DATA.

Consent (Article 6 (1)a) is indeed one of conditions that can be used to comply with the GDPR requirement that processing must be lawful, but it is not the only condition available to the controller to ensure lawful processing – there are alternatives (before the list of conditions it says that "at least one of the following" must be satisfied).

All the conditions for lawfulness of processing are spelled out in Article 6 of the GDPR.

One of alternatives are Article 6 (1)f. It says says it is legal to process personal data if

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (my emphasis)

As noted in the question, logging IP addresses for the purpose of security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices. It is the default, and most (all?) web-sites do this.

I.e. it is legal to do this without consent (if this is not the case, I am pretty sure the outcry had been heard all over the Internet by now).

Free Radical
  • 3,322
  • 16
  • 28
3

The GDPR considers an IP address "personal data" that is subject to the GDPR.

That seems to be a common misconception.

From GDPR: 'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An 'identifiable natural person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In a particular set of circumstances, can you identify natural persons by using IP addresses and other data, or IP addresses alone? If you can't, then the IP addresses being collected in those circumstances are not personal data.

Lag
  • 20,104
  • 2
  • 46
  • 76