Citation needed on this one.
That would make any dashboard that showed which api endpoints are the most popular also illegal.
Anomyous telemetry is not PII. GDPR is personal data.
That depends. First, no data collection is "anonymous" when it is transmitted. Any anonymity must come later, and then is only possible if the company aggregates the data with other users and deletes the original data that was collected.
PII/Personal Data are squishy terms. In the US, anyway, the legal definitions of what counts as "PII" leaves out an awful lot of actual PII -- so any claims that "no PII is being collected" is meaningless without additional explanation of what data items are being collected.
Because no network connection is anonymous but as long as you aren't handling PII, GDPR has nothing to say about it.
I could sell an app in the EU that just pinged my server once a day. As long as I wasn't keeping a record of who pinged what when, there is no PII.
Otherwise everything is PII and you would need consent before every TCP handshake.
Data processing is not just about 'keeping a record'. Processing even for a millisecond is also processing.
> Otherwise everything is PII and you would need consent before every TCP handshake.
Consent is not the only ground for data processing. Normally, it would just be performance of a contract, as the user wants something from you.
It is clear that the EU does not consider telemetry to be strictly necessary and while there can be times when telemetry is allowable with the legitimate interest legal basis (for example, to prevent fraud or to comply with legal obligations), there is already plenty of case law across the EU that shows that the legitimate interest legal basis will not be accepted for user analytics.
For this reason, it seems unlikely that the proposed telemetry will be compliant in the EU.
It's not the network connection that eliminates anonymity (although that, too), but the data itself. Even if there's no single piece of PII involved, fingerprinting is still a thing. That's why, if you want a hope at anonymity, you have to add the collected data into an aggregate collection and delete the original data records.
Are we assuming 1Password is lying about anonymisation?
My point is they didn't "sneak it past the regulators", it's plainly legal to do this under GDPR, and if it isn't I need a citation.
I wouldn't put it that way. Rather, I'd say that you shouldn't assume something is true just because a company claims it is. Especially when that thing can have a material effect on their profit margin.
How are you exactly going to submit it anonymously? Will it connect over Tor? Because if you just send it over your internet connection, it arrives with your IP address on the packets, which is PII, which makes it data processing of PII, which makes it require a legal basis to process. And it is legally uncertain that 'legitimate interest' is a valid ground for telemetry data, leaving only opt-in consent.
Edit: It would also violate using any networks that transit such countries, because TLS and TCP handshake info might be PII too. I find that such a ridiculous position to have re GDPR.
1P already has consent from users for its apps to use the network to connect to their services.
They do not need an additional agreement ie opt-in consent. If they are collecting non-PII they can use the current opt out.
Yes, and this is the current situation with the US following Schrems II. Obviously, lots of companies are non-compliant as everyone is waiting for a diplomatic solution following the ruling against Privacy Shield.
> 1P already has consent from users for its apps to use the network to connect to their services.
They probably rely on the strictly necessary legal basis for network connections that are required to run the service. However, each purpose much have its own legal basis and you cannot bundle purposes. For example, you cannot gain consent to process given personal data for one purpose and then process it for another purpose.
Consent must be bound to one or several specified purposes which must then be sufficiently explained.
Everyone just consents anyway...
Unless you don't lie to them and don't use every dark pattern in the book to trick them into clicking the checkbox.
I am countering the position of the parent poster and asking for a citation that would indicate you don't need to sneak this around the EU regulators to do it.
