GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)

Fri Jan 7 13:37:39 UTC 2022

On 07/01/2022 14:01, Sam Kuper wrote:
>
> You say you cannot see it, but I gave an example below, in my previous
> email:
>
>
>>> Secondly, a person sending an email to a mailing list might very well
>>> consent for the mailing list's recipients to receive the content,
>>> subject, and reply address of that email - but *not* the IP address
>>> from which it was sent.
>>
Your example was clear. I was replying about "assumed consent". In the 
case that I send an email to a public mailing list I don't think you 
would need to get explicit consent (for processing the email contents). 
That you're not necessarily consenting to the diffusion of the ip 
address by sending the email is clear.
> The IP address is a different kind of datum to the content, subject, and
> reply address.
>
> For instance:
>
> -   The IP address is likely to allow the user's location (city or
>      region) to be inferred, in a manner typically outside the user's
>      control.  As such, disseminating the IP address unnecessarily  would
>      reduce the user's privacy.
>
> -   The sender of an email is likely to be aware of the content,
>      subject, and sender address of an email that they send, because MUA
>      UIs typically make this clear.  But many (most?) email users don't
>      know what IP addresses are or what can be inferred from them, and so
>      *cannot* (without being provided with a clear explanation) give
>      informed consent about divulging their IP addresses unnecessarily.
>
>
> So, unless a service provider obtains user consents meeting the four
> tests above, in respect of *each kind* of datum they intend to process,
> then the service provider would on the face of it be in breach of the
> GDPR in respect of that kind of datum.
>
> In particular, the "freely given" consent means that provision of a
> service, etc, should not be contingent upon consent.  I.e. if it is not
> *necessary* (which it isn't, by definition) for some kind of datum (e.g.
> users' IP addresses) to be disseminated more widely than necessary, then
> a service provider cannot validly under the GDPR require a user to
> consent to such dissemination in order to receive the service.  Such
> contingency would render the consent not freely given.
>
> Sam
>
Yes, I stand corrected. Consent would not be a solution. You'd still 
need a way of NOT sending the ip if consent was not given and if that 
way did not exist, consent would not be freely given, even for those 
that give it.

So only lawful processing category that potentially could remain 
feasible I think is legitimate interest (i.e. email headers can 
generally be expected to contain ip info, potentially useful for spam 
prevention) but given that the info is available in log files, it would 
be hard to argue that the inclusion in the email header is legitimate 
when compared to rights of data subject.

So indeed the safest thing is to remove originating ips from headers, so 
as not to be on wrong side of GDPR legislation.

John