I'm actually saying that both are a requirement for logging IPs in the circumstances being discussed here, but I certainly don't mean to suggest that either would grant you "carte blanche" to collect and log IPs.
I suspect that logging IP only for security purposes is fine, but the idea that it is a bulletproof defense is just wrong, we have no idea. Current indicators are that regulators think IP is personal & that legitimate interest defenses are suspect.
