Why IP-based Subject Access Requests Are Denied?

Understanding the legal status of IP addresses is complex. In Europe, the General Data Protection Regulation (GDPR) is supposed to have leveraged the legal status of IP addresses as personal data, but recent decisions from the European Court of Justice undermine this view. In the hope to clarify this situation, we have looked on how 109 websites deal with IP addresses. First, we analyzed the privacy policies of these websites to determine how they considered IP addresses. Most of them acknowledge in their privacy policy the fact that IP addresses are personal data. Second, we submitted subject access requests based on the IP addresses used to visit different websites. Our requests were often denied. Websites justify their answers with different explanations suchlike: you need to register, or IP addresses do not allow to identify you, to name a few. This situation is rather frustrating for any user wanting to exercise his/her rights: IP addresses are personal data on (legal) papers, but there are no means to exercise the rights thereto. One maybe tempted to say that IP addresses are not personal data. We make several proposals to improve this situation by modifying how IP addresses are allocated to a user.