GDPR Compliance

I have this question, too! I love this plugin. It’s invaluable to me but I need to know if know how it complies with GDPR standards.

thank you!

@pumpaxxl @dawnrae,

There is nothing in this plugin that would encompass GDPR. Apart from IP addresses (which could be normalised), there isn’t any other information it collects.

Thanks

That is good news. We must be sure the plugin also does not send any information out from the site, definitelly not over the EU border. The IPs will have to be anonymized.

Thanks,
Pavel.

Hi,
I don’t know if the IP should be anonymized. Even WordPress itself saves the IPs.
~Mihai

But would making IPs anonymous affect the function of the plugin since it uses IPs as a way of detecting suspicious activity and then blocking the IP if needed, based on that activity?

The IPs are anonymous. They are not liked to any particular user. Also, the IP is logged only on bad/failed attempts.

IPs are personal data, that has been decided by the EU court (don’t know which one but this decision is done). You can use an one way algorithm that transforms an IP to antoher ID and work with the ID. Obviously, the algorithm must only work one way, you should not be able to get the IP from the number again.

provided that the information stays on your server, and is deleted as soon as it is no longer needed there should not be a GDPR problem.
yes and IP address is personal information, but GDPR does not prohibit you from collecting that information for “legitimate purposes”. Spam checking to ensure the safety of the site, and visitors is arguably a legitimate purpose. You’d just need to include a notice to that effect.

So is it correct that the plugin does not send IPs or any other data outside my server?

FWIW, IP addresses by themselves are not private information regardless of what GDPR or any other law says. Nobody is entitled to that level of anonymity.

• This reply was modified 6 years, 9 months ago by Simba.

@simbalion you can, of course, hold an opinion about what level of privacy people are entitled to. But there are judgements from courts that hold a different opinion. For example the Court of Justice of the European Union held that in some circumstances an IP would be considered to be personal data.

@chris_c I appreciate your response.. courts sometimes make the wrong decisions, which is why we have a chain of appeals (I don’t know how EUs system works I imagine it’s similar?). IANAL and I don’t have time to review that particular case but the only circumstances where an IP could be rationally considered private data is when it’s bundled with information about browsing habits _on other websites_. Everything that takes place on your own equipment is information which belongs to you, just as all the behavioral and identifying data gathered from a guest spending time in your home would belong to you.

It’s unreasonable to expect a site operator to blind themselves to the connection details of machines which connect to their network. It’s like making an outgoing phone call, the person being called has a right to know who is contacting them. That information is not privileged or private, and in fact it’s essential to record it for security purposes. This will surely prove to be covered under the GDPRs various vague and broadly worded exceptions.

Again, IANAL. I am, however, a network engineer.

• This reply was modified 6 years, 9 months ago by Simba.

@simbalion I do actually agree with you, that it would be difficult to argue that the IP by itself was personal data. I was just pointing out that there are circumstances where combined with other information it could be.

In the context of this plugin, there is surely a small a risk that a data breach could occur on a WordPress installation where potentially the IP could be combined with other information, such as the email or username. Even if unlikely, surely it would be wise to cater for that situation?

BTW The Court of Justice in the EU is the highest court in Europe on these matters.

A good explanation is here: https://eugdprcompliant.com/personal-data/.

It says: A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

@pumpaxxl the foolishness of the European lawmakers is in their presumption that people are entitled to anonymity on the internet. They aren’t. When someone connects to my server I’m going to collect all the information I can about them, in case they behave badly. And in case of those who do, I will use that information to track them down and notify the most appropriate authorities. Thankfully I’m American and the EU can’t do anything about that.

Protecting consumer privacy is important, but a good law cannot be crafted by fools, and that is what happened with the GDPR.