Reflecting on the GDPR to celebrate Privacy Day 2024

The GDPR's broad definition of 'personal data' has led to unintended consequences that could hamper cybersecurity efforts and damage the functioning of the global internet infrastructure as a whole. For example, IP addresses are often considered personal data under the GDPR, leading to stringent restrictions on their transfer between regions like the EU and US. This is despite many online services requiring IP address data for legitimate cybersecurity purposes such as preventing DDoS attacks or bot fraud. The article suggests that IP addresses should not be considered personal data when they cannot be linked by an entity to a real person, and proposes guidelines to clarify this issue. Additionally, the GDPR's application should consider the cybersecurity benefits of data processing in mind, as ignoring these could lead to less effective security measures and ultimately harm privacy.