The changing meaning of "personal data"

When FTC Commissioner Julie Brill last year described her vision of privacy in the future, which she dubbed Privacy 3.0, she opined that the distinction between “personally identifiable information” (PII) and “non-PII” is “blurring.” This remark led the IAPP to start an inquiry into exactly what kind of information is “personal information” or “personal data” and how statutory definitions are subject to reinterpretation as technology evolves. The IAPP hopes that this initial effort will lead to further discussions about what should be protected by privacy law.

What is PII: Statutory Definitions

A starting point is a consideration of what constitutes PII under current statutory law. Is PII all information about a person? Does the information need to directly identify a person? Is it only recorded information? Does the information need to be true? Is a “person” only a natural person, or can they be legal persons such as corporations and organizations? If they are natural persons, does it matter if they are dead or alive?

These and other queries can be answered by examining the definitions of “personal information” or “personal data” in various countries. To begin a conversation about the nature of “data,” the IAPP surveyed the definitions of personal data across 36 data protection laws in 30 countries. A summary of that research is attached.

Those 36 laws have taken many approaches. Some of these definitions, such as those in the United States, are relatively narrow and often specify particular items, while others, especially those in European Union countries and other laws modeled on their approach, tend to be broader.