> Are we assuming 1Password is lying about anonymisation?
I wouldn't put it that way. Rather, I'd say that you shouldn't assume something is true just because a company claims it is. Especially when that thing can have a material effect on their profit margin.
Well, in the EU, the onus is on the data processer to show compliance, not the other way around.
However, Recital 30 (Online Identifiers for Profiling and Identification) clearly shows that IP addresses are personal data;
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
There is plenty of case law to show that processing IP addresses (even if you discard them later) is processing personal data. For example, an Italian court included as part of a ruling:
> In this respect, it is worth pointing out that the IP address constitutes personal data insofar as it makes it possible to identify an electronic communication device, thus indirectly making the data subject identifiable as a user (see Article 29 Working Party, WP 136 - Opinion No 4/2007 on the concept of personal data, of 20 June 2007, p. 16). This is especially so where, as in the present case, the IP is associated with other information relating to the browser used and the date and time of browsing (see recital 30 of the Regulation).
Are we assuming 1Password is lying about anonymisation?
My point is they didn't "sneak it past the regulators", it's plainly legal to do this under GDPR, and if it isn't I need a citation.