| ▲ | buzer 17 hours ago | |
You are somewhat confusing two distinct concepts. IP addresses are considered to be personal data because they can be linked to single individual and controller is allowed to give this personal data to someone who can do the linking (e.g. police who can then request logs from ISP or NAT connection logs from the company). Now it doesn't mean it will always link to single individual, but unless controller can be sure that there are always at least 2 people behind the IP and the devices on that side do not keep enough information to ever link IP+timestamp+destination service to single individual, the controller essentially must assume that IP address is personal data. This is different from civil liabilities. National courts determine what is the threshold for that. For example in Finland the court has ruled that if the owner of the car cannot name the person who parked the then the presumption is that they did it and are responsible for parking contract breach (KKO 2026:24). National courts could end up with similar ruling for civil liability for sharing content, i.e. assumption that the IP owner either is the person who shared it or knows who they did it & if they refuse to name the person then presumption is that they did it. | ||