Correct. Also note that IP address are counted as PII, so even sending an IP address (as required by any TCP/IP request) to a US-located or US-controlled server is illegal without getting consent beforehand.
I'm not sure that's how it works. Couple of things (IANAL):
1. I don't think ip address alone constitutes PII but needs to be combined with other data to be applicable
2. Even if it were, I would imagine it falls under article 6 provisions where ip is required information to fulfill a contract which in case of HN as an example means delivering the web page to the browser
> 1. I don't think ip address alone constitutes PII but needs to be combined with other data to be applicable
According to courts just the IP is considered enough:
The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so.[1]
> even sending an IP address (as required by any TCP/IP request) to a US-located or US-controlled server is illegal
Nope. Having the IP for making a TCP/IP connection is a technical requirement, one of the exceptions of GDPR (this also applies for logging, etc as long as you don't keep it forever, etc)
Let's not make up requirements where they don't exist
That is not true. IP addresses are explicitly stated as personal data. That they are a technical requirement for a connection only has repercussions on how you are allowed to store and process this data and the consent you need to get from the user for your data processing.
You are not allowed to send IP addresses (even if they are a technical requirement for connection set up) to companies under US government control before you get full consent from the EU user.
The "technical requirement" exception (to process data without consent) only applies to GDPR complaint data processors which US companies can't be because of the Cloud Act.
There is a huge difference between using your IP address in the course of the technical implementation of the IP protocol and the subsequent logging and re-transmission of that address to others, effectively you are agreeing with the GP while starting your comment with 'that is not true'. It is true. And you confirmed it.
"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"
"(1) Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
