The passing of the General Data Protection Regulation (GDPR) has ushered in a lot of changes. One notable change is their classification of an IP address as personal data. However, to classify an IP address as personal data is wrong on multiple levels.
Here’s what you need to know.
Why GDPR Considers It Personal Data
Under the EU, GDPR states that IP addresses should be considered personal data since it falls under ‘online identifiers.’ However, in the case of a dynamic IP address, which changes every time a person connects to a network, there’s debate if it can truly lead to the identification of a person or not.
Here, GDPR thinks it can be identifiable because the ISP has a record of the temporary dynamic IP address and the website provider has a record of the web pages accessed by a dynamic IP address. If those two pieces of info were combined, the website provider could find out the identity of the person behind a certain dynamic IP address.
GDPR’s reasoning, in theory, makes sense. But just how easy is it to execute? Not very, by a long shot.
Why It Should Be Considered Non Personal Data
While the EU considers an IP address as personal data, in reality it should be considered non personal data. Here’s why. An IP address doesn’t mean I was the person doing the searching. There’s always the potential that there are multiple users on the same IP address.
Sure, if you wanted to know which user was me, you could track me on the same IP address if you had 15 other pieces of data. But who has the other 15 pieces of data? Not many.
There’s also the complication that with GDPR, a person can now request to have any record of themselves on an IP address deleted. However, to do that all of the info has to be deleted, including others’ who use the same IP address. Not only does this affect people who didn’t want their data deleted, it poses a serious security threat, too.
What happens when fraudsters decide to use this technique to their advantage? That presents a hindrance to anti-fraud tools which use IP addresses to recognize fraud.
Unfortunately, for now, we don’t have much recourse other than to simply disagree with the GDPR ruling. All we can do is wait and see what happens when complications occur, and how they’re handled. Buckle up, we’re in for a bumpy ride.