I will describe a real situation. I am now connecting to Amazon Europe site, through my Fastweb ISP. Both entities have to comply with GDPR, and as far as I know, they do.
When I say “Connecting to Amazon Europe site” I am actually calling three different entities: let us call them Amazon Infrastructure, Amazon Application, and Amazon Accounting.
Amazon Infrastructure is responsible for the maintenance of the Web server, and they log my full IP address, my User-Agent, obviously the URI and other information.
They are subject to the GDPR, so that information has to be kept safe, must be the minimum necessary to ensure proper operation, has to be purged after the data retention window expires. If it contained personally identifiable data, which it doesn’t, I would have to be informed and would have the right to request rectification or cancellation.
They are responsible for the session layer that ensures that I can communicate correctly and flawlessly with…
Amazon Application, which is the e-Shop front-end, and needn’t know my IP and therefore doesn’t. They have a Session ID (which they log) and, after authentication, a User ID. They should have nothing else because they don’t need it, and an appropriate API allows Amazon Application to show me my personal information, which it will never log, from…
Amazon Accounting, who knows my name, purchase history, bank information and so on. They don’t have my IP address or Session ID because they don’t need it. Also, for obvious reasons, I expect Amazon Accounting to exist within the digital equivalent of a fortified citadel. Here are my personal identifiable data (the IP is just personal), and I have the right of requesting update or deletion, subject to other provisions of the law – for example, I can request they forget everything about me, but payment data have to be kept for – if I remember correctly – up to ten years. They shouldn’t be able to access that information after my request, except in anonymous form.
Now, something bad happens – an order gets contested, and I swear I did not place the order. Things go downhill to the point that the police gets involved. The issue is between me and Amazon Accounting.
This is where Fastweb can be contacted, but Fastweb’s data will not be shared with Amazon. The police will collect data independently from the three Amazon entities plus Fastweb and run their own matching, which will allow them to pinpoint where the fiber optic cable is installed from which packets from a certain IP address came around on a certain day at a certain hour. They can also access any data that I asked to be forgotten, and Amazon accordingly sealed (so, “forgotten” does not mean “destroyed”).
If necessary, my device will be impounded and analyzed to determine whether it was the one that was used for the crime.
It is entirely possible and even likely that the plaintiff might win the suit and collect damages and still not know lots of the information that was assembled during forensic operations.
So, they will never “trace” anyone, because they can’t. But that someone will, nonetheless, be traced. Neither Amazon logs or Fastweb logs are enough for the full trace (Fastweb doesn’t know that I visited Amazon web site, nor can they legally sniff the traffic or log outgoing IPs except in very specific, limited scenarios; Amazon can’t know where the other end of a connection is), but together they are; under EU law, only police officers with a valid warrant can perform the match.