As far as I'm aware, since IP addresses _can_ uniquely identify a person (think of static IPs offered by some ISPs), it is considered personal data by authorities.

GDPR leaves a huge grey area that is up to interpretation, which in practice boils down to companies trying to avoid even said grey area and keeping a very strict GDPR policy. Been there, done that (doing that, in fact). Painful as it is, that's the law.

Agoston

On Sun, Jan 10, 2021 at 7:36 AM Michael Kafka via db-wg <db-wg@ripe.net> wrote:

On 2021-01-08 18:15, Randy Bush via db-wg wrote:
>> If the geofeed doesn't contain the above mentioned means to directly
>> or indirectly identify a natural person then GDPR don't apply,
>> especially if the geofeed refers only to a country or province.
>
> note that the geofeed spec, RFC8805, is separate from the rpsl-based
> means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.

that wouldn't make a difference here. if the RIPE database points
immediately to personal information GDPR applies.

> i was not involved in the geofeed spec, but it was done by friends of
> the family who gossip :)
>
> i was told that the reason there is no postal code in the geofeed file
> spec is because, in some cases, it resolves with sufficient precision to
> identify individuals.
>
> randy

the precision of postal codes (e.g. in great britain) is a good point!

MiKa