On 2019-07-20 13:24, Peter Schober wrote:
Nit: If the SP recieves a persistent identifier (i.e., one that doesn't change from session to session) the subject is not "anonymous" but merely "pseudonymous", at least under GDPR terminology. (This matters to those of us that have to compy with GDPR because "anonymous data" isn't personal data and doesn't fall under GDPR, but "pseudonymous" is personal data just as if it were not pseudonymised.)
According to the assessment of GEANT https://www.geant.org/Projects/GEANT_Project_GN4/deliverables/M9-2_Assessmen... both persistent and non-persistent identifiers are personal data according to GDPR because they can both be used to indirectly identify the person. So the only way to avoid personal data would be to not sent any identifier which probably wouldn't be acceptable for many content providers.
Best regards, Bernd