Everything
Well, more or less. A touch flippant perhaps, probably not what you expected, and I’m pretty sure it wasn’t what you hoped for. There it is though, I respect you all too much to sugar coat it, I expect a fair few would call me out on it if I tried to. There’s a reason why the General Data Protection Regulation (GDPR) has been called “The Law of Everything”!
I’d rather tell it to you straight, the definition of Personal Data is unworkably broad and deep. We’re not going to change that anytime soon though, so on that basis I say let’s drag this bogeyman into the light, examine it, and find some ways to live with it.
Fair warning, these articles may make you feel worse before you feel better! Stick with it though.
Breach Reporting Laws An Unfortunate Misdirect
Breach reporting laws have been around for a long time, people are familiar with them, and they contain definitions of Personal Data. That familiarity allows System 1 thinking to try to take over, but we need to take a step back and be in System 2 again. There are things we need to surface and understand here, it’s not the right time for the quick route.
The term ‘Personal Data’ may appear in breach reporting laws, but they define it very differently. In fact, breach reporting laws take a completely different approach not only to the definition but to how the law works. In general, the state-by-state breach reporting laws take a prescriptive ‘rules based’ approach while privacy laws take a ‘principles based’ approach. They aren’t even close to being the same thing.
For now, let’s just ignore those breach reporting laws. Whenever I say ‘Personal Data’ I mean the much broader definition used in privacy laws.
The Privacy Law Definition
In contrast to the ‘rules based’ approach of data breach reporting laws, privacy laws take a ‘principles based’ approach. You’ll immediately see the difference in the more open language and ideas used in the legal definitions below.
The GDPR defines personal data as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier…
The California Consumer Protection Act (CCPA) defines personal data as:
information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes…
Gone is any idea of prescriptive lists of fields and combinations. These definitions are wide open and require the reader to understand, interpret, and apply them. It’s more of an instruction manual on how to identify Personal Data than it is an exhaustive, granular, definition. That isn’t healthy for us.
Working With That Loose Definition
Humans love to reduce and simplify things (System 1 thinking),…