> So, if a company issues differently coloured jumpers to its staff, and holds a list of the jumpers issued against staff IDs, the jumper colour becomes controlled data for the purposes of data protection
You (and they) seem to have made the incorrect leap that 1 IP at one point in time = 1 person. If you can then figure out who that person is, you have identified who did what.
However in the real world it's normal to have 1 IP = a whole organisation / household. Someone in that organisation may have an account with an ISP, but it doesn't follow that they did whatever was attributed to the IP address in question. Yes it's possible to have a single public IP for a single individual, but it's far from a certainty. I suppose that to be safe, the judgement is that ALL IPs will be counted as potential PII.
In your jumper example, the company assigns jumpers to particular individuals, but then many other individuals wear their own jumpers with the same colours. Also some of the people assigned jumpers don't wear them somedays, and wear their own jumpers of different colours. This is still being counted as PII. You can't use it to identify someone, but it still counts.... which is the confusing part.
The write-up on the case is interesting: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
If you can obtain the required information from another party then it's also considered PII. In this case they considered that the organisation in question had the power to legally compel another entity to reveal information to complete the chain and identify the individual.
For the rest of us in a less privileged position, if the user has revealed their IP anywhere we can obtain it and link to them then that would seem to make it PII. As you cannot guarantee that they didn't already do this (or won't do it in the future), then it's best to regard it as PII always - yes it's tenuous, but until the first round of legal cases have established precedent, who knows.