and what is being done to prevent the Impact
(Student’s Full Name)
The Ways in which Individuals and/or Organizations are impacted by Personally Identifiable Information (PII) and what is being done to prevent the Impact
Introduction
“[Behavioral tracking], while lauded by industry analysts as the next generation of online advertising, [it] facilitates market growth at the expense [of]a citizen’spersonally identifiable information”.
The above statement written by Andrew Hotaling was written against the background of online advertisers requiring information related to a potential customer’s online “browsing activity” . Hotaling explains that this would enable online advertisers to locate an individual who is “most likely to purchase products and services after” seeing “online advertisements” . Despite most individuals being concerned about the fact that their information and their family’s personal identifiable information (PII) is easily accessible through behavioral tracking technologies, there is little that lawmakers can do about the issue. This is because the term personally identifiable information is not uniformly defined in the United States’ “information privacy law” . This is exemplified in the California Senate Bill 1836, which states that “personal information” can be defined to include “Social security numbers, driver’s license numbers, financial accounts” . However, this definition does not include “email addresses” or “telephones” . When the term is defined in this manner then the legislation emphasizes the “types of data” that are generally used to identify an individual rather than data that violates “privacy” or reveals “some sensitive information” about a person Furthermore, “computer science” demonstrates that PII is not a “straightforward” term . This is because persons working within the IT industry “can take information that appears” to be “non-identifiable” at face value and change it into “identifiable data” . Nevertheless, it is important that PII data is defined because PII data is “protected” under the law while data that is not considered to be PII is unprotected . In light of the above information, it can be argued that PII has the potential of preventing third-parties from breaching an organization's or individual's privacy. Hence, there needs to be significant legal reform to ensure that PII is properly defined so that an individual‘s or organization’s security is not endangered.
The Ways in which Individuals and Organizations are impacted by PII
According to Paul Schwartz and Daniel Solove , PII helps to define “the scope and boundaries” of a variety of “privacy statutes and regulations” . Therefore, it is problematic that the legal community in the United States has failed to provide an adequately clear definition for the term PII. Schwartz and Solove explain further that this situation is not alleviated even if a person decides to surf the net anonymously. This is because a person can still be traced through the “internet protocol” address, which is “assigned to every computer connected to the Internet” . As a result, an internet protocol or IP address can be used to expose the personal identity of an “account holder” of a broadband Internet service . However, some argue that since one computer can be used by “multiple members of a household” or several persons within an organization or business then the IP address can be considered as “non-PII” and, in that case, does not identify a particular individual . If in a legal case an IP address was considered to be “non-PII” then that would mean that data “within this category” is not “protected” . Therefore, if a third party uses an IP address to discover an individual’s or organization’s personal information, and it is considered to be outside of the domain of PII, then that information can be collected, used, and disclosed without there being any “privacy harm” committed . It is because of this fact, Schwartz and Solove mention that the privacy laws in the United States simply focus on “personal data that has been specifically associated with a specific person” . Therefore, this means that “too much personal information” is left without “legal protections” .
The Measures that can be taken to deal with the Impact of PII in Privacy Law Reform and Development of Privacy Protection Technologies
Hence, some academics have argued that PII is a “fatally flawed concept” and, therefore, current privacy laws should abandon their dependence on PII and discover an “entirely new paradigm on which to regulate information privacy” . On the other hand, it would be best if PII was properly defined or “reconceptualized” in order for the current “privacy laws” are to “remain effective in the future” . In addition, Schwartz and Solove argue against using the Europeans’ approach to privacy laws that does not make a distinction between “identified and identifiable data” . Furthermore, the European privacy laws consider data that has been connected to an individual or organization, and data that “might” be connected to that individual or organization in the “future” to be “irrelevant” . Schwartz and Solove contend that privacy laws should provide differing “legal protections” for “identified and identifiable data” .
Arvind Narayanan and Vitaly Shmatikov argue against the act of “de-identifying” information so that they can be safely released without it being connected to the individual or organization that created a data record . Instead the scholars posit that privacy protection technologies should be created to practice “[d]ifferential privacy” because it “formally defines what it means for a computation” task to be “privacy preserving” . The academics contend that this approach is different from simply “de-identifying” information before releasing it because it “makes no assumptions about the external information available to the adversary” . Nevertheless, Narayanan and Shmatikov agree that privacy protection technologies using “[d]ifferential privacy” is not enough . An “interactive, query-based approach” is needed when developing new privacy protection technologies to deal with “privacy protection” on a “case-by-case basis” .
Conclusion
In conclusion, PII is becoming an increasingly important topic in the area of online privacy since it can help to protect an individual or organization from having his or its personal information from being disclosed. However, the current privacy laws do not adequately define the term PII. Some academics have contended that privacy laws should not be required to depend on the vague concept of PII. On the other hand, there are others who argue that privacy laws should not adopt an approach that is like the Americans’ or Europeans’, but should provide different “legal protections” for “identified and identifiable data” . Furthermore, “[d]ifferential privacy” should be used along with an “interactive, query-based approach” when developing new privacy protection technologies that deal with each case differently .
References
Hotaling, A. (2008). Protecting Identifiable Information on the Internet: Notice and Consent in the Age of Behavioral Targeting. Commlaw Conspectus, 16, 529-565. Retrieved February 22, 2016
Narayanan, A., & Shimatikov, V. (2010). Privacy and Security: Myths and Fallacies of "Personally Identifiable Information". Communications of the ACM, 53(6), 24-26. doi:10.1145/1743546.1743558
Schwartz, P., & Solove, D. (2011). The PII Problem: Privacy and a New Concept of Personally Identifiable Information. New York University Law Quarterly, 86, 1814-1894.
