Upload File

the pii problem: privacy and a new concept of personally ...silicon_vall… · concept of pii–...

  • Home
  • Documents
  • The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:
24
The PII Problem: Privacy and a New Concept of Personally Identifiable Information Paul M. Schwartz Berkeley Law School Daniel J. Solove George Washington University Law School S i P li Ad i H L ll Senior Policy Advisor, Hogan Lovells Founder, TeachPrivacy

Upload: others

Post on 18-Oct-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

The PII Problem:Privacy and a New Concept

of Personally Identifiable Information

Paul M. SchwartzBerkeley Law School

Daniel J. SoloveGeorge Washington University Law SchoolS i P li Ad i H L llSenior Policy Advisor, Hogan LovellsFounder, TeachPrivacy

Page 2: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:
Page 3: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:
Page 4: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:
Page 5: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Schwartz and Solove

Page 6: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Changes in Technology and the Meaning of PII

Page 7: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Three Approaches to PII in US Law

1. Tautological gApproach

2. Non-Public Approachpp

3. Specific Types p ypApproach

Page 8: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

No uniform international definition of PII

• PIPEDA uses term PIPEDA uses term “identifiable” data

• Tendency is for b d d fi iti f broad definition of PII: PIPEDA reflects EU perspective

Page 9: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

EU approach to PII

Broad definition:

“information relating to an identified or identifiableperson”person

Page 10: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Identifiable = identified

Personal data if “the reference person is reference person is identifiable”

Dammann KommentarDammann, Kommentarzum BDSG, (Simitis, ed., 2011)

Page 11: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Problems of De-Identification

Page 12: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Internet Movie Database

Page 13: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII and non-PII-- not a fixed line

Impact of technology Impact of technology developments and social practicessocial practices

Page 14: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Abandon PII?

Page 15: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Abandon PII?

Page 16: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Keep PII? Abandon PII as Regulatory Concept?

J t Just l regulate

data?

Page 17: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII 2.0

• Identifiablity is a continuum of risk.

• A standard not a rule

N h d “ ff ” i h b il d F i I f i P i• Not a hard “off-on” switch, but tailored Fair Information Practices

Page 18: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII 2.0: Three categories

IdentifiedIdentifiableNon-Identifiable

Page 19: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Risk of Identification

IDENTIFIEDIDENTIFIEDV hi hVery high

riskModerate

riskrisk

Nontrivial risk

Very low risk

ZERO RISKZERO RISK

Page 20: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII 2.0: Three categories

Identified• plus identifiable data

when significant probability of linkage to specific personof linkage to specific person

IdentifiableIdentifiableNon-IdentifiableNon Identifiable

Page 21: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII 2.0 -- Dangers of “Release and Forget”

Need for:

Track-and-audit approach

Risk assessmentsRisk assessments

Page 22: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

PII 2.0 = compatible with “privacy by design”

Privacy protection Privacy protection embedded in technological design and business design and business practices

Page 23: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Takeaway

• Great legal uncertainty about uncertainty about concept of PII– and

ld id b ion worldwide basis

• Hard to predict impact of privacy p p ylaw on businesses: a source of riska source of risk

Page 24: The PII Problem: Privacy and a New Concept of Personally ...Silicon_Vall… · concept of PII– and on ld id b iworldwide basis • Hard to predict impppyact of privacy law on businesses:

Thank you!


Privacy Impact Assessment for FALCON-Roadrunner · 2014-12-01 · FALCON-Roadrunner accesses and stores personally identifiable information (PII) retrieved from data systems owned

The concept of Privacy and Standardization of Microservice

Department of Commerce PII, BII, and PA Breach …osec.doc.gov/opog/privacy/DOC_PII_BII_and_PA_Breach...Department of Commerce PII, BII, and PA Breach Response and Notification Plan

MITRE Privacy Engineering Framework and Life …...Overcoming Policy and Process Gaps To adequately address privacy risks, systems that manage PII must behave in a privacy-sensitive

UNCLASSIEFIED · 2018-09-28 · unclassiefied privacy/pii action office: cons, congen, cons_overseas_citizens_services_protected mrn: 18 santo domingo 2018 date/dtg: oct 1, 2018/211802z

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training

Protection of Personally Identifiable Information through ... · 2/16/2012  · disclosure avoidance, personally identifiable information, PII, privacy technical assistance center,

Department of Commerce Personally Identifiable …osec.doc.gov/opog/privacy/DOC_PII_BII_and_PA... · Personally Identifiable Information (PII), Business Identifiable Information

PCI DSS & PII

A Practical Guide to Privacy Risk Assessment October 1, …€¦ ·  · 2013-09-23A PRACTICAL GUIDE TO PRIVACY RISK ASSESSMENT ... Non-unique system ... destruction of PII. # Risk

VA Privacy and Information Security Awareness Course · Examine Personally Identifiable Information (PII), its use, and your responsibilities in regard to it Indicate privacy and

Examining the Anonymity, Privacy, and Security of Scalable … · 2020-04-22 · . Selly’s privacy policy states that Selly collects PII including but not limited to the last 4

Privacy Risks with Facebook’s PII-based Targeting ... · PDF fileThese new data brokers provide interfaces to their ad- ... enabling advertisers to link various forms of user PII

PII NEWS - Pacific Invasives Initiative (PII)pacificinvasivesinitiative.org/site/pii/files/newsletters/1303_PIINews.pdf · PII SUPPORTED AGENCIES Kiribati 4 Samoa 6 REGIONAL French

Itu ics-pii

BINDING CORPORATE PRIVACY RULES (BCPR)...approach data privacy. _____ ¹Personally identifiable information (PII) is any data that could potentially identify a specific individual

PIITracker: Automatic Tracking of Personally Identifiable ...mnavaki/papers/eurosec2018-slides.pdf · The chat applications that we could not find any serious PII-related privacy

Cyber Threats & Privacy Concerns in the Public SectorControlled Unclassified information (23 categories, 82 subcategories) Enterprise IP and proprietary information (e.g., PII, PCI)

Protecting phi and pii - hipaa challenges and solutions - privacy vs cost

Interdisciplinary project pii

CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers………

Halt & Catch Fire: Is PII No Longer the Third-Rail of Digital Privacy?

PERSONALLY IDENTIFIABLE INFORMATON (PII) BRIEFING.pdf · privacy and security responsibilities. ... safeguarding personally identifiable information that I may have access to incident

Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should

Effective Communication - PII

PECB Certified Lead Privacy Implementer · 3. Knowledge of Incident Response and the methods to respond to Data Breaches involving PII 4. Knowledge of the privacy risks posed by Outsourcing,

Privacy Awareness: Safeguarding PII

THE CONCEPT OF THE ORIENTAL CITY. PRIVACY IN THE …

PII - Cetec

002 FAIRMATE _ PII

PRIVACY TRAINING 101 CIA-PPI-PII

Concept of Privacy protection in Data Mining

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy

The Concept of Privacy and the Malay Dwelling Interior Space

Department of Commerce PII, BII, and PA Breach Response and …osec.doc.gov/opog/privacy/doc_pii_bii_and_pa_breach... · 2017-06-30 · Department of Commerce PII, BII, and PA Breach