undefined | Better HN

0 pointsFraaaank10mo ago0 comments

> You can also anonymize data and that is no longer considered personal data under GDPR so it is possible to hash an IP address and that be acceptable.

That's not completely true. Recital 26 of GDPR stipulates that

> “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

Hashing does not meet this threshold. If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched. Hashing is therefore considered pseudonimization and under GDPR, pseudonymized data is still considered personal data.

Moreover, the act of anonymization itself is a form of processing and therefore falls under the scope of GDPR. So even attempting to anonymize personal data doesn't remove GDPR obligations for the anonimyzation itself.

0 comments

robbie-c10mo ago

Disclaimer: IANAL

> If the same IP address is hashed using the same method, the result will always be the same, meaning it can be matched.

The way people get around this is by using an ephemeral salt, that is deleted e.g. daily. After enough time has passed, it'd be impossible to reverse the hash as the salt would be lost.

rustc10mo ago

Plausible uses the same algorithm and they have a page written by a lawyer claiming this is GDPR compliant: https://plausible.io/blog/legal-assessment-gdpr-eprivacy

Edit: Found more discussion here: https://github.com/plausible/analytics/discussions/1963#disc...

> To summarize, I believe the EDPB has made their position very clear on this in their 2023 guidelines: Plausible's fingerprinting is subject to Article 5(3) of the ePD. Plausible has made their position very clear in their blog post, leaning in the other direction. Until this is tried out in court, I don't believe that there will be any definitive answer.

jhpacker10mo ago

Unlike Plausible and Fathom, it looks like Rybbit is NOT salting by default ( (but that it's an option to enable per site: https://www.rybbit.io/docs/enhanced-privacy). Which is why they can offer retention reporting.

This seems incompatible with ePD.

j / k navigate · click thread line to collapse