Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I deal with GDPR daily and the truth is that GDPR enforcement doesn't understand what is acceptable from a GDPR standpoint and that is likely why they are in the process of revamping it. You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.


> You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.

That's not completely true. Recital 26 of GDPR stipulates that

> “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

Hashing does not meet this threshold. If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched. Hashing is therefore considered pseudonimization and under GDPR, pseudonymized data is still considered personal data.

Moreover, the act of anonymization itself is a form of processing and therefore falls under the scope of GDPR. So even attempting to anonymize personal data doesn't remove GDPR obligations for the anonimyzation itself.


Disclaimer: IANAL

> If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched.

The way people get around this is by using an ephemeral salt, that is deleted e.g. daily. After enough time has passed, it'd be impossible to reverse the hash as the salt would be lost.


Plausible uses the same algorithm and they have a page written by a lawyer claiming this is GDPR compliant: https://plausible.io/blog/legal-assessment-gdpr-eprivacy

Edit: Found more discussion here: https://github.com/plausible/analytics/discussions/1963#disc...

> To summarize, I believe the EDPB has made their position very clear on this in their 2023 guidelines: Plausible's fingerprinting is subject to Article 5(3) of the ePD. Plausible has made their position very clear in their blog post, leaning in the other direction. Until this is tried out in court, I don't believe that there will be any definitive answer.


Unlike Plausible and Fathom, it looks like Rybbit is NOT salting by default ( (but that it's an option to enable per site: https://www.rybbit.io/docs/enhanced-privacy). Which is why they can offer retention reporting.

This seems incompatible with ePD.


So IP is considered personal information?


Yes, that is what case C-582/14 concluded.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: