"Data Breaches… Armageddon…" – as announced by the Three Horsemen

Stuart Ritchie


IP addresses can determine jurisdiction – as classically exploited by private and public surveillance agencies, BigTech, other data brokers, and just about any web site owner. This is well known. As is the fact that such tracking information is key to everyone’s commercial efforts to destroy net neutrality and undermine the web. But what does this mean for GDPR compliance? Can it be exploited for classifying individuals’ jurisdiction? Should it? What are the pros and cons?

Theory (law)

I note in passing that IP addresses are personal data, just as much as anonymized and/or encrypted data. That is old news (if it was ever news).

IP addresses can determine location. This is important. Some people (notably governments) think that the GDPR is predicated upon EU citizenship, and wonder if IP addresses can be helpful to that. Unfortunately we now must recapitulate the rather confused question I’ve been asked before: "does GDPR apply only to EU residents/citizens or does it also apply to EU citizens living outside the EU."

The answer to that is: neither. It applies to people IN the Union. So:

  • citizenship is irrelevant.
  • residence is irrelevant.
  • legal domicile is irrelevant.
  • only location is relevant.

Again, just as with most GDPR questions: this is not new. It’s been that way since 1995, as EU and non-EU Supreme Courts repeatedly have accepted. Search for the word "citizen" anywhere in the Privacy Directive, or the GDPR, or even the material Articles 7, 8, 47 of the Charter. You’ll come up with zilch. I started pointing this out on public fora in 2015, by 2017 most professionals had taken the point. Sadly not the US or EC negotiators of Privacy Shield…

Spoiler: war story of possible interest to attorneys in the USA.

This is why, for instance, years ago my firm was able somewhat to destabilize a multi-jurisdiction fraud case in Asia in which none of the protagonists or witnesses or jurisdictions had anything to do with the EU, but in which some of the evidence had been collected from witnesses passing through the EU – unlawfully in respect of the local data protection law. As a matter of public policy in promoting the rule of law no Court, even in jurisdictions lacking the "fruit of the poisonous tree" doctrine, is happy with evidence that has been collected by breaking criminal or even civil law.

Well it worked for me, and it should work even better in places like the USA. So if any of those reading this are practicing attorneys in US jurisdictions, file this away in your armory of contingently useful Jedi tricks for whenever you’re acting for people (whether or not US nationals) in the EU or who might have been in the EU or might be in the EU in the future… I look forward to a new low in class action forum-shopping tricks, just fly to the EU and then issue proceedings – remember, you read it here first!

Corollary: as governments (such as the European Commission and the US Federal government) have an innately poor understanding of law (alternatively simply don’t care), they have a comical habit of making pointlessly irrelevant citizenship-based agreements / treaties such as Privacy Shield. As they say: do the math. (do I hear an echo?)

Applying this answer to the topic, it follows in principle that, to the extent that recorded IP address reflects the individual’s true current geolocation, then – technically – sure you can discriminate perfectly lawfully on the basis of IP address.

But "to the extent that" is a monster caveat. For instance I deliberately break that IP geolocation link almost every day, whenever I fake my IP address in order to view US web page content/television/films forbidden to viewers in Britain (varies for me but recently I looked at John Oliver’s show – a brilliantly ironic example, given that he himself is British!). And people less laid-back than I mostly am, but with litigation skills – or money plus an "attitude problem" – who happen to use (say) their enterprise VPN, or a private VPN, or Tor, or any of the myriad other techniques available to fake your IP, are NOT the data subjects you wish to p155 off with data protection law breaches.

As the old aphorism goes, don’t poke the bear. All you need is one data subject, among your thousands/millions of LIKE-addicted customers, whose love of your enterprise somehow degrades to less than perfect and sublime, and your compliance falls apart as the house of cards it is.

Second caveat: there are herds of time-travel-elephants in the room. Which are summarized by the question: what happens as time passes, when (not if) individuals travel? Wargame the scenarios for yourself. Answers on a postcard…

Practice (compliance implementation)

If you’re with me on the above, and accept either or both caveats, then you’ll appreciate the dangers of inferring legal status from IP addresses.

We know that companies like Google appear to be able to switch jurisdiction-specific compliance on and off literally at the touch of a button. As recently demonstrated by G with their new face-matching app – which they had to switch off for two US states whose laws ban such apps. Any data-driven company can do the same. The question is: what do we do about compliance?

We could try stating we presume that data subject locations are as mapped from their IP addresses, and will process accordingly. Now this would be fine if data protection law were merely a private law / contract issue, the worst that could happen would be a technical breach of contract. But it’s not. Why? I refer you to the caveats above, and invite you to contemplate the differences between private law (eg contract) and public law.

Conclusion: bad idea, at least unless you do a DPIA and walk into it with your eyes open.

Tip: If you go ahead and do this anyway, then you immediately have a second problem. Because by definition you’re also profiling and conducting automated decisionmaking, your decision being – boom boom – to break the law! Do the math. There are worse "unintended consequences" in the GDPR, but this is a fun one.

Ok, smartypants, so how do you handle IP addresses in practice?

Spoiler: Worked example on IP address handling

Ok, here’s what I might do in the context of gdpr360. I’m prepping info architecture maps (translate as "Article 30") for (say) each of web site visitors, for account holders, for employees / subcontractors, for business contacts and for students. Those are the only personal data subject categories whose data we process. By May I’ll have a blog discussing in detail at least two of these (because compliance for "overlap" processing must be consistent), and how they’re constructed.

For now, let’s look at web site visitors (only) in a short incomplete analysis restricted to IP addresses.

Data category ("what")? We collect their IP address.

Storage ("where")? In our web logs. IP addresses, in case you’re wondering, are stored minimally in our web logs even if we don’t want to monitor/profile/track people. Note: whatever web server you use, whether Apache (nearly 50% market share) or whatever (including the weird one we use on one tech site), maintain logs by default that include IP addresses.

Purpose ("why")? maybe for security/authentication/identification reasons (thus Article 6(1)(f)).

Explanation of legitimate interests, as required? Maybe web server operation, cyber-security defense, cyber-fraud defense, and reporting to law enforcement. If we want to be able to let people make payments, or remember who they are, and comply with simpler non-GDPR jurisdiction-based processing laws (such as UK/US/Chinese/Saudi/etc censorship and commercial monopolies/IPR), then this an important (while not absolutely the only) way to do such things. Sure cookies play a part in such things, whether session, persistent, or super, but we’re not discussing those, are we?

Profiling? Potentially sure, but only if we use it to distinguish different data subjects. We might profile only to distinguish between different enterprises (for local law enforcement reporting purposes). So maybe no.

Necessity? Do the math – mapping between our process (singular) and its purposes. (As I have a "legal" hat beside me, I can put it on and do that as well).

Minimization? In this instance, same process as Necessity.

Monitoring (in respect of our extra-EU activities)? Yes, of course Article 3(2) is engaged simply by keeping data subject IP addresses. Do the math.

P.S. I owe some apologies to my readers: all three of you have had a mercifully long time between medicinal drinks. You should be aware this will change soon, so think about running (hiding is not an option). My delays are down to prioritizing practical compliance over the theory of the other blogs I’m scheduled to deliver. For instance, this morning I’m taking a break from IT-weaponizing the connections between Article 30 and Article 35, etc.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.