Читать книгу Privacy Risk Analysis - Sourya Joyee De - Страница 13

CHAPTER 4

Personal Data

In this chapter, we first discuss the differences between the definitions of personally identifiable information (PII) in the U.S. and personal data in Europe (Section 4.1). We also summarize the ongoing debates on anonymization which is a central issue in this context (Section 4.2). We proceed with a categorization of personal data and a discussion about specific categories of data considered sensitive by certain regulations (Section 4.3). Next, we present the set of data attributes to be considered in a privacy risk analysis (Section 4.4). Data categories and attributes are then illustrated with the BEMS System (Section 4.5).

4.1 EUROPEAN AND U.S. VIEWS

The notions of “personal data” in the EU and “personally identifiable information” (PII) in the U.S., which are the cornerstones of modern privacy regulations, do not carry exactly the same meaning. The first part of our discussion concentrates on these variations and the differences between the U.S. and the EU approaches to privacy.

Table B.1 in Appendix B shows various definitions of personal data and personally identifiable information. The sources of these definitions are mostly privacy laws and standardization documents. For example, the CNIL¹ guidelines [32, 33] refer to the definitions of personal data from the EU Directive [47], the French Data Protection Act [50] and the ISO standard ISO/IEC 29100:2011 [72].

Considering the central role of the notion of personal data in the legal framework, the EU Directive [47] has introduced the following general definition:

“Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

As a first comment, it may be noted that the EU Directive does not seem to make a difference between “data” and “information.” In fact, the two words are not always used with the same meaning in the literature² but this distinction is not essential here and we will, as the EU Directive, use them interchangeably.