On 07/01/2022 14:01, Sam Kuper wrote:
You say you cannot see it, but I gave an example below, in my previous
email:
Secondly, a person sending an email to a mailing list might very well
consent for the mailing list's recipients to receive the content,
subject, and reply address of that email - but *not* the IP address
from which it was sent.
Your example was clear. I was replying about "assumed consent". In the
case that I send an email to a public mailing list I don't think you
would need to get explicit consent (for processing the email contents).
That you're not necessarily consenting to the diffusion of the ip
address by sending the email is clear.
The IP address is a different kind of datum to the content, subject, and
reply address.
For instance:
- The IP address is likely to allow the user's location (city or
region) to be inferred, in a manner typically outside the user's
control. As such, disseminating the IP address unnecessarily would
reduce the user's privacy.
- The sender of an email is likely to be aware of the content,
subject, and sender address of an email that they send, because MUA
UIs typically make this clear. But many (most?) email users don't
know what IP addresses are or what can be inferred from them, and so
*cannot* (without being provided with a clear explanation) give
informed consent about divulging their IP addresses unnecessarily.
So, unless a service provider obtains user consents meeting the four
tests above, in respect of *each kind* of datum they intend to process,
then the service provider would on the face of it be in breach of the
GDPR in respect of that kind of datum.
In particular, the "freely given" consent means that provision of a
service, etc, should not be contingent upon consent. I.e. if it is not
*necessary* (which it isn't, by definition) for some kind of datum (e.g.
users' IP addresses) to be disseminated more widely than necessary, then
a service provider cannot validly under the GDPR require a user to
consent to such dissemination in order to receive the service. Such
contingency would render the consent not freely given.
Sam
Yes, I stand corrected. Consent would not be a solution. You'd still
need a way of NOT sending the ip if consent was not given and if that
way did not exist, consent would not be freely given, even for those
that give it.
So only lawful processing category that potentially could remain
feasible I think is legitimate interest (i.e. email headers can
generally be expected to contain ip info, potentially useful for spam
prevention) but given that the info is available in log files, it would
be hard to argue that the inclusion in the email header is legitimate
when compared to rights of data subject.
So indeed the safest thing is to remove originating ips from headers, so
as not to be on wrong side of GDPR legislation.
John
