Author – SAEE VAISHAMPAYAN, Student from GOVERNMENT LAW COLLEGE, MUMBAI

INTRODUCTION: WHAT IS PII?

Personally identifiable information (PII) is defined by the US Office of Privacy and Open Government as “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

Personally Identifiable Information (PII) is a collection of data that can be used to identify a specific person. It is regarded as sensitive information and is the data that can be used for identity theft. PII can be as simple as a user’s name, address, and birth date or as sensitive as a user’s full name, address, social security number, and financial information. PII may contain direct identifiers such as information on the driving license that can uniquely identify a person, or quasi-identifiers like race, caste, or clan that can be combined with other quasi-identifiers (for example, date of birth) to efficiently distinguish an individual.

Due to its high value when sold on darknet markets, PII is a target for attackers in a data breach. There is no single rule that determines what is PII and what is not. PII is a collection of data, but it could be any single piece of information. A full name, for example, is insufficient personally identifiable information for an attacker to use, whereas a social security number identifies a specific individual. An individual’s identity is narrowed by their first and last name, but without an address and more specific information, the individual could remain anonymous. To be effective, PII must provide sufficient information to specifically identify an individual among millions of others.

GDPR

The General Data Protection Regulation (GDPR) is a set of data protection laws that apply to all companies that have digital interactions with EU citizens. GDPR was designed to replace the 1998 Data Protection Act by establishing a more uniform and streamlined data security policy that protects user data in the future. There are 99 articles in the full text of the GDPR that outline the rights of individuals and duties expected of organisations subject to the regulation. The rights for individuals include making it simpler for people to access the data that businesses have collected about them, a new system of fines, and a clear obligation for businesses to obtain the consent of the people whose data they are collecting.

In the context of GDPR, personal data encompasses a much broader range of information than personally identifiable information (PII), which is commonly used in North America. In other words, while all PII is considered personal data but not all personal data is PII.

And the Article 4 of the GDPR defines “personal data” as follows:- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. There are four main elements in the definition, they are helpful in understanding if the data is personal data or not. These elements are –

1. “any information” – This feature is extremely inclusive. It contains both “subjective” information, such as employment ratings, and “objective” information, like a person’s height. Additionally, it is not constrained to any one format. Data in the form of music, video, numbers, graphics, and photos can all contain personal information. Insofar as it reveals details about the child (their mental health as determined by a psychiatrist) and their parents’ behaviour, a child’s drawing of their family is completed as part of a psychiatric evaluation to find out how they feel about various family members might be regarded as personal data.
2. “relating to” – In general, information can be said to “relate” to an individual when it is about that individual. To consider data related to someone, one of the three following attributes must be present: content, purpose, or result. These three attributes should be regarded as alternative conditions rather than combined ones. As a result, the same piece of information may apply to multiple people at the same time, depending on which element is present in each one.
3. “an identified or identifiable” – The concept of “directly” or “indirectly” identifiable implies that the extent to which certain identifiers are sufficient to achieve identification is something dependent on context. The natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it. The GDPR provides a non- exhaustive list of common identifiers that, when used, may allow the identification of the individual.
4. “natural person” – under this element company’s data is not counted as personal data. It clearly indicates that to have personal data individual must be alive. Data related to a deceased person is rarely as considered personal data under GDPR.

The list of data the GDRP protects is fairly broad and it includes – Basic identity information such as name, address, and ID numbers, Web data such as location, IP address, cookie data, and RFID tags, health and genetic data, Biometric data, Racial or ethnic data, political opinions, and Sexual orientation.

CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA was January 1, 2020. It is the first law of its kind in the United States.

Personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (1798.140.o1).

The key takeaways here are “capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer or a household.” This definition opens the door to extremely broad legal interpretation of what constitutes personal information, stating that personal information includes any data that could be linked to a California individual or household. This extends far beyond data that is obviously associated with an identity, such as a person’s name, birth date, or social security number, which is traditionally considered PII. It is ultimately this “indirect” information—such as product preference or geolocation data—that is material because it is much more difficult to identify and link to a person than well-structured personally identifiable information.

Here Personal Information includes

• direct identifiers such as real name, alias, postal address, social security numbers etc.,
  • unique identifiers like cookies, IP addresses and account names,
  • biometric data such as face and voice recordings,
  • geolocation data such as location history,
  • internet activity such as browsing history, search history, data on interaction with a webpage or app,
  • sensitive information such as health data, personal characteristics, behaviour, religious or political convictions, sexual preferences, employment and education data, financial and medical information.

Data that, through inference, can identify a person or a household also falls under the category of personal information. Unless re-identifiable, aggregate and anonymous data is exempt from the CCPA. This means that data that is not personal information can become so under the CCPA if it can be used to identify an individual or a household through inference or combination with other data.

DPB 2021

Though inspired in part by the EU General Data Protection Regulation, India has ultimately forged its own path toward data protection with several unique provisions: combining personal and non-personal data under the same umbrella. The DPB 2021 once passed will replace the current data protection framework under Section 43A of the Information Technology Act, 2000 (“IT Act”) and the rules framed thereunder, namely the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”).

PDP Bill 2019, Section 3 (28) defines Personal Data as – “Personal Data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

1. Data – The term ‘data’ is defined under the PDP Bill section 3(11) to include a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. All objective and subjective information regarding a natural person may be considered to be personal data. Even an individual’s assessment or opinion of self would be considered personal data. The accuracy of the information will be immaterial in order to be protected under the PDP Bill. The term “personal data” does not only refer to a person’s private or personal life. Additionally, it contains details on the person’s public or professional activities. Furthermore, the definition of data stipulates that the information may be in any format and processed manually or automatically. Personal data can even include data that is manually processed and stored offline.

• About or relating to – Any information about or relating to an individual would be considered to be personal data. It gives a broad meaning to the concept of personal data. Sometimes it may not be easy to establish whether a piece of information relates to an individual or not. The Justice BN Srikrishna Committee, in its report on data protection titled ‘A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians’ notes that developments in data science have considerably changed the understanding of identifiability and that data no longer exists in binary states of identifiable or non- identifiable. The report suggests that to determine whether the information relates to and identifies an individual, it is important to evaluate the context in which the data is processed.

• Profiling – Profiling has been defined under Section 3 (32) of PDPB – “profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal.

So, the Private Data includes data relating to a natural person, who is directly or indirectly identifiable, and also includes inferences drawn from such data for the purpose of profiling. Sensitive personal data – The scope of SPD has been expanded (in comparison with the SPDI Rules) and includes financial data, health data, official identifier (which includes Aadhaar number), sex life, genetic data, transgender status, intersex status, caste, or tribe, religious or political belief or affiliation etc. and Critical personal data – The Central Government will tell what constitutes CPD.

According to revision (Clause 2) submitted by JPC to PDP Bill 2019 : The scope of the Personal Data Protection Bill has undergone an expansion and will now cover both personal and non- personal data. The bill has been renamed from “Personal Data Protection Bill” to “Data

Protection Bill (Bill).” The same regulator is expected to regulate non-personal data and personal data, because “it is impossible to distinguish between personal data and non-personal data, when mass data is collected or transported.” Non-personal data (defined as all data other than personal data and includes anonymised data) has been brought within the ambit of the DPB 2021.

CONCLUSION

PII can be referred to as “personal information” under CCPA while both GDPR and DPA refer to it as “Personal Data”. Any data that can be used to identify one person from another is referred to as PII. The GDPR and DPB explicitly give a very broad definition of personal data. It includes any information that relates to an identifiable natural person. In contrast to PII, personal data covers a wider range of situations. For instance, genetic information, online aliases, browser cookies, device IDs, and IP addresses. Although not individually identifiable information, some characteristics, such as religion, race, sexual orientation, or medical history, may be categorised as personal data. CCPA holds that personal information is any data that could be linked with a California individual or household. This goes well beyond data that is obviously associated with an identity, such as name, birth date, or social security number, which is traditionally regarded as PII. Not all Personal data / information is PII. In comparison to Personal Information and Personal Data (GDPR, CCPA AND DPB 2021), PII has a more limited scope.

REFERENCES

• General Data Protection Regulation (GDPR) Compliance Guidelines
• Personally Identifiable Information Under GDPR? | RSI Security
• https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp
• The difference between PII and Personal Data – blog – TechGDPR
• https://gdpr.eu/eu-gdpr-personal-data/
• https://www.groundlabs.com/blog/what-is-pii-for-gdpr/R-vs.-India-PDPB-2019-Jan.-16-2020.pdf
• https://www.cookiebot.com/en/what-is-ccpa/