Does “We Don’t Collect PII” Still Work?

Published: May 2, 2017 Updated: October 25, 2018 Author Category Data Privacy & Security

Let’s rephrase the question to read “can you afford to keep using old adages to avoid privacy obligations”? Remember, GDPR influences the risk equation with fines that can go as high as 20 million euros or 4% of global turnover, combined with a massive loss of consumer trust.

Once we acknowledge that the risk equation has shifted negatively with respect to data – there is already significant talk of toxic data today – and our inherent privacy obligations, it’s time to define whether such compliance duties apply to begin with.

Legislation demystified

Legislation typically feels complicated for those of us in technology because information is confusing and often scattered all over the place, while all sorts of legalese terms are used, some of which are even in Latin!

But once you get started, you quickly adapt and find the process often resembles a decision tree with yes/no modes to define successive steps and attribution of accountable mitigation actions. That’s where most companies are today with respect to GDPR, if not already well underway: getting their heads out of the sand and evaluating step by step what needs to be done, as well as documenting who will be responsible, both internally and externally.

And while the digital industry is eagerly awaiting the impact of Directive 2002/58/EC being repealed (that’s the official name of the current ePrivacy Directive, also wrongly referred to as the Cookie Directive) and replaced with the ePrivacy Regulation, the question remains whether consent should be asked for, or will legitimate interest miraculously be re-introduced? What about DNT? – that first YES/NO node has already switched.

That first yes/no node, Does privacy legislation apply to my digital activities? (be it web analytics, digital analytics, programmatic, using a DSP, DMP, or Ad Exchanges) has been nailed down, if only partially by the GDPR. How far will those obligations stretch is still not clear, though – for now the debate revolves mainly around consent giving and DNT, legitimate interest is not part of the current ePrivacy Regulation draft.

Until May 2018, the answer to that question of the legislation’s applicability to digital activities in accordance with the current 95/46/EC Directive can still be reasonably construed as NO. That said, GDPR introduces the concept of pseudonymous data, while mentioning cookies and unique identifiers, which changes the answer to YES: privacy obligations apply to the digital sphere under GDPR.
More specifically, Recital 30 concludes by saying “the explicit introduction of “pseudonymisation” in this Regulation is not intended to preclude any other measures of data protection”.

Free Cheat Sheet: PII, Personal Data or Both?

Learn the main differences between personally identifiable information (PII) and personal data. Get to know the types of information that are the subject of the new European data privacy regulation (GDPR).

Download FREE Cheat Sheet

Calm down and justify

Before you panic, let’s first of all state once again that this does not, for now, mean you need to ask for consent. Those who are feeling nauseous about potential re-runs of the cookie wall debates that started back in 2011, particularly for the online advertising sector, should remember that there is more to privacy legislation than asking for consent.

GDPR, when talking of Lawfulness of Processing in Article 6, provides for 6 ways to justify why data is being processed, two of which are legitimate interest and, yes, consent. How these will find themselves reflected in the currently debated ePrivacy Regulation, including for the online advertising sector, is still anyone’s guess – not even the bookies are happy to take bets on the evolution of Article 8.

Having said that, the current ePrivacy draft does specify in Article 8 that “the use of processing and storage capabilities of terminal equipment and the collection of information from end-user’s terminal equipment…”
aka cookies: placing, reading and synching them
“…shall be prohibited, except on the following grounds”
“(a)… (c)”
“(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end user”.

This means that web analytics, as we used to know it in the form of site-centric audience measurement, if installed on premises can be used without asking for consent.

on-premises web analytics no consent needed

Consent and intranet

One might argue that other applications are needed for measurement, typically in the case of Intranets. Here consent is increasingly part of employee contracts and/or comes as part of an IT security charter.

So again, there’s still no reason for panic, but there are some caveats, particularly if those Intranets are username/login based and contain employee data. Indeed, various pieces of legislation, ranging from Canada’s PIPEDA to Germany’s section 32 of the current Federal Data Protection Act limit the potential uses of such data to such practices as detecting fraud or preventing crimes, and there is the fact that a user’s rights should not be negatively influenced by the transfer of such data beyond European borders (read PrivacyShield is increasingly a potential risk for international data transfers).

You should therefore be extra-careful, also when considering increased BYOD – Bring Your Own Device – practices, about which tools are used for Intranet processing.

Such caution around the use of Intranets, besides the obvious differences in privacy rights between the EU and other regions, should also be applied in respect to the USA, as under most state legislation usernames are considered PII (Personally Identifiable Information).

The objective of this article is not to compare the logic of PII vs. European “Personal Data” and “pseudonymous data” descriptions, as such a comparison can be found here. Yet you should recognize that the clear boundaries we have worked under during the Information Age, rules which the current Directive is the fruit of, should now be revisited under the Data Age that is emerging through the clicks of our mice and the tips of our fingers.

clear boundaries should be revisited

The distinctions between PII and Personal Data have become blurry as even the USA is expanding the definition of PII, following in the footsteps of Article 29 of the Working Party, which recommended as early as 2009 that IP addresses be recognized as personal data.

Today a lot of Data Privacy Impact Assessments – required by GDPR where “a type of processing in particular using new technologies… is likely to result in high risk to the rights and freedoms of natural persons…” under Article 35 – recognize IP addresses, even dynamic ones under certain contexts, as entailing data protection and privacy obligations.

Privacy matters

Accepting that the “we don’t collect PII” stance doesn’t work anymore flows from that very same movement, independent of whether the data is being processed on EU soil or elsewhere.
And while consent obligations remain daunting, surely applying data protection and security best practices in this age of security breaches and rapidly evolving data markets should be viewed in categories other than just increased cost.
We should apply the adage of “Trust and Care” to the data your company has been entrusted with to make that data work for your company, so you are effectively competing on trust.

Free Cheat Sheet: PII, Personal Data or Both?

Learn the main differences between personally identifiable information (PII) and personal data. Get to know the types of information that are the subject of the new European data privacy regulation (GDPR).

Download FREE Cheat Sheet

Author:

Aurélie Pols, Contributor

A former Data Governance and Privacy Engineer with Salesforce (previously Krux Digital Inc.), a member of the European Data Protection Supervisor’s Ethics Advisory Group, a professor at IE Business School in Madrid, and an advisor to the International Association of Privacy Professionals (IAPP). A founder of a Privacy and Data Protection Consultancy, Mind Your Privacy.

See more posts of this author
Free Web Analytics Vendor Comparison Download

Share