Data protection, privacy, and other bits for personal websites

This is not a proper blogpost, but rather some hastily-scribbled thoughts in response to a question on Twitter, which would be better held in one place than in a series of tweets.

This is not legal advice.

The question, in a nutshell, is about the application of the data protection and ePrivacy framework when it comes to personal sites, such as a blog.

So here are some quick, off-the-cuff, thoughts.

The (UK) GDPR applies only if you are processing personal data

If you are not processing personal data, you don’t need to worry about the UK GDPR.

If you are just serving up pages which themselves do not contain personal data, with no comments section, no newsletter, and no individual-level analytics, the likelihood of the UK GDPR applying is low.

IP addresses and server logs

There is an argument to be had about IP addresses in server logs. There is case law from the Court of Justice of the European Union on this, but relating to a set of facts involving logs, including IP addresses, which were kept “[w]ith the aim of preventing attacks and making it possible to prosecute ‘pirates’”

Even though the site operators — the German government, which may also play a role in the decision — could not identify an individual from an IP address, the court’s reasoning was that:

in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings

In other words, by relying on the facilities and powers available to others, it was possible to identify an individual.

(For what it’s worth, I think this judgment is poorly reasoned, and makes some logical leaps in terms of linking an IP address to an individual, but, hey, no-one asked for my view.)

Even if an individual operating a personal website has full, untruncated, IP address in logs, for a limited period, purely to assist with the operation of the site (e.g. fail2ban to deal with abusive logs, or the like), I think there’s scope to argue that those IP addresses are not “personal data”. But it’s arguable, and so potentially risky.

Better would be to truncate the IP addresses before storing them in the logs, so that they could not be used, even in conjunction with the police, to identify an individual.

In other words, if you can avoid processing personal data, do so.

If you collect email addresses (e.g. for comments, or for a newsletter sign-up), if your site content contains the personal data of other people, then this is irrelevant anyway.

The (UK) GDPR does not apply to processing “by a natural person in the course of a purely personal or household activity”

This is commonly known as the “domestic purposes” exemption.

Case law shows that it is interpreted narrowly, particularly in the context of online activity, but that does not mean it does not exist at all.

I an not aware of case law specifically about personal blogs / sites.

Recital 18 to the GDPR says:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

My gut feeling is:

Even if it does apply, what do you need to do?

The UK GDPR has requirements which apply in all cases (unless an exemption applies), and other requirements which apply only if the processing will reach a sufficient level of risk. I’m going to go out on a limb and say that a personal website probably won’t trigger those conditions.

So the gist is:

Do I need to register with the ICO?

The rules about registration with the ICO are separate from the rules around processing of personal data.

The simplest thing to do is to use the regulator’s own toolkit.

If all your processing falls within the “domestic purposes” exemption (above), you have no requirement to register.

Cookies and the ePrivacy framework

The GDPR applies only where there is processing of personal data.

The rules on cookies contained in the ePrivacy framework are not limited to processing of personal data, and there is no “purely household purposes” exemption.

In the UK, the rules are contained in the Privacy and Electronic Communications Regulations 2003.

Although they’re often known as the “cookie” rules, they apply more broadly. They apply whenever someone stores access to information in the terminal equipment of a subscriber or user, or gains access to information stored in the terminal equipment of a subscriber or a user.

The gist of the rules is: