[PATCH] conf/nginx.conf: add example "privacy" log_format

Anton Luka Šijanec anton at sijanec.eu
Wed Jan 13 11:37:36 UTC 2021

Hans-Christoph Steiner <hans at guardianproject.info> @ Wed, 13 Jan 2021 10:27:42 +0100:
> The standard log_formats store detailed information which falls under
> data regulations like the EU's GDPR and California's CCPA. This merge
> request adds a suggested "privacy" log_format that generates logs that
> cannot be used to identify users. This has been developed and used by
> Tor Project, Guardian Project, and F-Droid.

IANAL, so: Are there any exceptions in EU's GDPR that allow short-stored logs of user-identifiable information? That would seem useful, as *some* logging is useful when detecting and reporting fraudalent activities and for detecting spam. Logs are rotated and are sometimes useful when a data breach happens.

I've also seen some examples of ISPs having to store info, that would be classified as user data, for 6 months for detecting illegal activities. See [1].

Again, IANAL, but [0] describes some allowances regarding log data. I agree with adding the privacy option, but is that really a must when dealing with EU customers?


[0] https://www.termsfeed.com/blog/gdpr-log-data/#Storage_Limitation
[1] https://en.wikipedia.org/wiki/Data_retention#European_Union

More information about the nginx-devel mailing list