So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
Moreover, to reason about this, one also needs to take into account Art 6.2 which means there might be an additional 27 laws you need to find and understand.
Note, however, that recital 30 which you quoted is explicitly NOT referenced by Art. 6, at least according to this inofficial site: https://gdpr-info.eu/art-6-gdpr/
This particular case might be solved through hashing, but then there are only 4.2bn IPs so easy to try out all hashes. Or maybe it's only OK with IPv6?
I find this vague or at least hard to reconcile with technical everyday reality, and doing it well can take enormous amounts of time and money that are not spent on advancing anything of value.
That's not true. IP addresses might be processed in regards to article 6.1 c) or 6.1 f) but only for these very narrowly defined use cases and in accordance with article 5. So, purge your logs after 14/30 days and don't use the ip address for anything else and you will be fine.
There are rulings that access providers are/were allowed to save full IP addresses for up to 7 days to handle misuse of services etc. and any longer storage seems unnecessary and unlawful.
In other cases there were recommendations of up to 30 days, ideally with anonymized addresses where the last one or two triplets are automatically being removed. I've also seen 30 days as kind of the default setting for automatic log purging with shared webhosters.
Our lawyer told us that he estimates that saving full IP addresses for 14 days in logfiles would be fine in regards of preventing/tracking misuse of services or attacks against the infrastructure.
If this would ever come to court it would most probably be up to the judge to see whether this is really fine or already too much. Therefore we had to document the process and why we think 14 days is reasonable and so on.
The GDPR lacks a specific time frame and I think that's okay. There's always some "wiggle room" in European laws, it's about not misusing that room and sincerely acting in the best interest of everybody.
> So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
In addition to the other answers, I want to point out that recital 49 says that it is possible under legitimate interest (6(1)f).
> So in essence, it disallows logging IP address for any purpose, be it security, debugging, rate-limiting etc. because you can't give consent in advance for this, and no other sentence in Art. 6.1 applies.
No, it doesn't. Subsections b, c, and f roughly cover this. On top of that, no one is going to come at you with fines for doing regular business things as long as you don't store this data indefinitely long, sell it to third parties, or use it for tracking. As laid out in Article 1.1.
On top of that, for many businesses existing laws override GDPR. E.g. banks have to keep personal records around for many years.
