The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
> i don't think it's meant as a tool for "book burning"
I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
That wasn't my intention.
> If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
"A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data."
That it may be personal data does not mean that it is personal data, nor are you under an express obligation to attempt to unmask anyone that you might have the ability to do so.
There is a risk/reward concept in the GDPR however. There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.
> There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.
Note: If you are going to use that IP address for determining location (which is common when dealing with the EU, because that is one of the things the EU considers acceptable evidence to justify your choice of which country's VAT to collect for an online sale), do the location lookup before blanking the last octet.
I had hoped that the first 24 would be sufficient to determine country, but that is not the case. For example, here are current results from MaxMind's GeoIP service:
5.62.58.243 US
5.62.58.244 US
5.62.58.245 DE
5.62.58.246 DE
5.62.58.247 DE
5.62.58.248 US
5.62.58.249 US
5.62.58.250 US
A couple weeks ago, BTW, 5.62.58.244 was identified as DE. This suggests that it might be a good idea to keep the full IP address around at least until you file your quarterly VAT MOSS documents, so that you can do another lookup then and possibly get a more clear picture of who you owe VAT to for the sale.
PS: I have no relationship with whoever owns those IP addresses, as far as I know. A few weeks ago I did GeoIP lookups on all 4 billion IPv4 addresses to find all the ranges of US IP addresses (there were 22029 ranges) as part of optimizing a filter that is supposed to reject non-US traffic from certain reports. To get an example for this comment I looked through those ranges looking for one where there were two different US ranges overlapping the same /24, and 5.62.58.0/24 was the first one I noticed.
Those IP addresses belong to the same AS, have the same announcement[1], and have very similar traceroute outputs (both have final hops around miami). The only thing different is their reverse DNS, which I think is throwing maxmind's algorithms off.
https://gdpr-info.eu/art-4-gdpr/
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So yeah, a single IP in isolation might not trace back to a single individual - but with a timestamp and billing info it might track to a residence - with other data (eg: age, occupation) it certainly will trace back to an individual.
I'm surprised at the ico's interpretation / statement on this.
> > i don't think it's meant as a tool for "book burning"
> I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
Indeed, that wasn't mean as a direct reply to you, more as a general comment on the GDPR.
There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
> The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
True. I don't think that'll be enough to comply with the GDPR. Just as storing child pornography in bulk, isn't ok if you remove individual pictures on request.
On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP addresses in the hands of website operators could qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website
That's basically the same thing as the John Smith example: There's a threshold when you have personally identifying information, and whilst it can certainly include an IP address in some circumstances, there are enough other valid uses for the IP (fraud, VAT, etc) and enough uncertainty (NAT, multiuser computers, etc) that it by itself isn't PII.
> There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
Yes. I don't think it's clear what Internet forums are required to do.
so a flag to hide all the comments of a user who has chosen to be forgotten should be sufficient.
However, if a site wants to refuse the order, they may be successful if they can argue the comments are in the public interest, but if I were a company wanted to refuse a persons rights in this way, I would call the ICO to get clarity.
> I don't think that'll be enough to comply with the GDPR.
If someone contacts the data controller (e.g. pg) and asks to have their data removed (or flagged hidden or whatever), and Pg does it, why don't you think that would be compliant?
The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
* https://news.ycombinator.com/item?id=2493474
> i don't think it's meant as a tool for "book burning"
I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
That wasn't my intention.
> If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
The ICO disagrees.
https://ico.org.uk/media/for-organisations/documents/1591/pe...
"A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data."
That it may be personal data does not mean that it is personal data, nor are you under an express obligation to attempt to unmask anyone that you might have the ability to do so.
There is a risk/reward concept in the GDPR however. There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.