Understanding the legal status of IP addresses is complex. In Europe, the General Data Protection Regulation (GDPR) is supposed to have leveraged the legal status of IP addresses as personal data, but recent decisions from the European Court of Justice undermine this view. In the hope to clarify this situation, we have looked on how 109 websites deal with IP addresses. First, we analyzed the privacy policies of these websites to determine how they considered IP addresses. Most of them acknowledge in their privacy policy the fact that IP addresses are personal data. Second, we submitted subject access requests based on the IP addresses used to visit different websites. Our requests were often denied. Websites justify their answers with different explanations suchlike: you need to register, or IP addresses do not allow to identify you, to name a few. This situation is rather frustrating for any user wanting to exercise his/her rights: IP addresses are personal data on (legal) papers, but there are no means to exercise the rights thereto. One maybe tempted to say that IP addresses are not personal data. We make several proposals to improve this situation by modifying how IP addresses are allocated to a user.
翻译:了解IP地址的法律地位是复杂的。在欧洲,一般数据保护条例(GDPR)本应将IP地址的法律地位作为个人数据加以利用,但欧洲法院最近的决定却破坏了这一观点。为了澄清这种情况,我们研究了109个网站如何处理IP地址。首先,我们分析了这些网站的隐私政策,以确定他们如何考虑IP地址。大多数网站在隐私政策中承认IP地址是个人数据。第二,我们根据用于访问不同网站的IP地址提交了访问请求。我们的要求常常遭到拒绝。网站以不同解释来证明其答复的理由:您需要注册,或者IP地址不允许识别您,举几个例子。对于任何想要行使其权利的用户来说,这种情况相当令人沮丧:IP地址是(法律)文件中的个人数据,但是没有办法行使相关权利。也许有人想说IP地址不是个人数据。我们提出若干建议,通过修改IP地址分配给用户的方式来改进这一状况。