People sometimes mix the terms and occasionally confuse the terminology, as they often associate GDPR with the concept of "not needing a consent banner." So, yes, you don't need to ask for consent to collect IP addresses to use in analytical purposes or logging. Consent (Article 6 (1)a [0]) is indeed one of the conditions that can be used to comply with the GDPR requirement that processing must be lawful. Still, there are other conditions available to the controller to ensure lawful processing. There are alternatives (before the list of conditions, it says that "at least one of the following" must be satisfied). Logging IP addresses for security is an extremely widespread practice. It is a legitimate interest to comply with standard security practices.

The GDPR mandates that the entire data processing cycle maintain a high standard of data protection. This implies that personal data transfers to non-European nations are allowed only if they ensure an adequate level of data protection. Otherwise, contractual agreements (SCCs) between data exporters and importers may translate GDPR's provisions into an enforceable agreement with the foreign importer, ensuring their processing aligns with GDPR.

The US had an adequacy decision termed "Privacy Shield," which was revoked due to concerns surrounding the rule of law vis-a-vis US mass surveillance laws. Due to similar reasons, contracts with US-based data importers may also be invalid. Additionally, using EU-based services from US-controlled companies is increasingly becoming worrisome.

Beam's approach relies on a weaker variant, which leverages a hash function to derive a pseudo-random ID from user-identifying information, such as the IP address. Although Beam's technique circumvents the need for a large lookup table, an unscrupulous server operator could log the daily key and use it to recover the original data from hashed IDs.

The flaw in this approach is that it still hinges on identifying data. While it serves as a good compliance and security measure, it doesn't alter anything significant from GDPR's standpoint. The same applies to competitive solutions like Plausible or Fathom.

Disclaimer: Consult with your legal; I am just a product guy. Explored the field to do a similar product a while ago.

[0] https://gdpr-info.eu/art-6-gdpr/

> an unscrupulous server operator could log the daily key and use it to recover the original data from hashed IDs.

> The flaw in this approach is that it still hinges on identifying data. While it serves as a good compliance and security measure, it doesn't alter anything significant from GDPR's standpoint. The same applies to competitive solutions like Plausible or Fathom.

This is where the technical compliance meets legal compliance. There is always a risk of breach and malicious actors circumventing even the most advanced technical solutions.

It is not full proof, but having SIGNED Data Processing Agreement can go a long way in case of such a violation. It won't help with technical lapses, but can save your business, by pointing at the legal obligation of your data processor for them to take some heat.

Having a partner from a country with a compatible legal system helps a lot in the execution of such an agreement. We no longer deal with non-EU/EEA entities and avoid anyone who uses US-cloud for data processing. The risk is just not worth it. Not to mention, this simplifies Transfer Impact Assessment.