That depends. First, no data collection is "anonymous" when it is transmitted. Any anonymity must come later, and then is only possible if the company aggregates the data with other users and deletes the original data that was collected.
PII/Personal Data are squishy terms. In the US, anyway, the legal definitions of what counts as "PII" leaves out an awful lot of actual PII -- so any claims that "no PII is being collected" is meaningless without additional explanation of what data items are being collected.
No, IP address is personal data by the EU definition and you need a legal basis to process it. The strictly necessary legal basis allows for TCP connections required to provide the requested service.
It is clear that the EU does not consider telemetry to be strictly necessary and while there can be times when telemetry is allowable with the legitimate interest legal basis (for example, to prevent fraud or to comply with legal obligations), there is already plenty of case law across the EU that shows that the legitimate interest legal basis will not be accepted for user analytics.
For this reason, it seems unlikely that the proposed telemetry will be compliant in the EU.
> Because no network connection is anonymous but as long as you aren't handling PII
It's not the network connection that eliminates anonymity (although that, too), but the data itself. Even if there's no single piece of PII involved, fingerprinting is still a thing. That's why, if you want a hope at anonymity, you have to add the collected data into an aggregate collection and delete the original data records.
> Are we assuming 1Password is lying about anonymisation?
I wouldn't put it that way. Rather, I'd say that you shouldn't assume something is true just because a company claims it is. Especially when that thing can have a material effect on their profit margin.
Well, in the EU, the onus is on the data processer to show compliance, not the other way around.
However, Recital 30 (Online Identifiers for Profiling and Identification) clearly shows that IP addresses are personal data;
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
There is plenty of case law to show that processing IP addresses (even if you discard them later) is processing personal data. For example, an Italian court included as part of a ruling:
> In this respect, it is worth pointing out that the IP address constitutes personal data insofar as it makes it possible to identify an electronic communication device, thus indirectly making the data subject identifiable as a user (see Article 29 Working Party, WP 136 - Opinion No 4/2007 on the concept of personal data, of 20 June 2007, p. 16). This is especially so where, as in the present case, the IP is associated with other information relating to the browser used and the date and time of browsing (see recital 30 of the Regulation).
That depends. First, no data collection is "anonymous" when it is transmitted. Any anonymity must come later, and then is only possible if the company aggregates the data with other users and deletes the original data that was collected.
PII/Personal Data are squishy terms. In the US, anyway, the legal definitions of what counts as "PII" leaves out an awful lot of actual PII -- so any claims that "no PII is being collected" is meaningless without additional explanation of what data items are being collected.