Personal Data

From Justice Definitions Project

Personal Data may simply be defined as any information about a person. As a legal concept, it may be used to capture any digitized information that can be used to identify a human being.[1] The scope of what may be considered “personal” data (as opposed to “non-personal” data) depends upon the jurisdiction under which the term is being read.[2] What is “personal” is defined differently across the world. Such data can range from somebody’s name and email address to their physical characteristics and location data. Since the rise of the dot-com era in the early 2000s, questions regarding one’s data, particularly in how individuals interact with the internet and their privacy, have come to the forefront. This is why the term is intimately tied to the right to privacy, specifically that of informational privacy. In India, the term has officially been defined under the Digital Personal Data Protection Act of 2023.[3] Before that, the Sensitive Personal Data Information Rules 2011 defined the term “personal information,” which was later replaced by “personal data.”[4][5]

Official Definition of Personal Data

As Defined in Legislations

At the moment, the Digital Personal Data Protection Act 2023 is the principal legislation governing the processing of digital information of individuals in India. The Act states:

“An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

Key definitions under the DPDPA 2023 include:

  • Data (Section 2(h)): “A representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.”
  • Digital personal data (Section 2(n)): “Personal data in digital form.”
  • Personal data (Section 2(f)): “Any data about an individual who is identifiable by or in relation to such data.”
  • Personal Data Breach (Section 2(g)): “Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.”

Earlier, the Sensitive Personal Data Information Rules 2011 defined “personal information” as:

“Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.”

The Information Technology Act of 2000, amended in 2008, defined “sensitive personal data or information” under Section 43A but left it to the Central Government to prescribe the exact categories of sensitive data.[6]

Other Indian laws, such as the Aadhaar Act, the Credit Information Companies Act, and state-specific data regulations, also interact with the concept of personal data in various contexts.[7][8]

As defined in official Documents

Guidelines on Mutual Legal Assistance in Criminal Matters (2019)

The Guidelines on Mutual Legal Assistance in Criminal Matters (2019) issued by Ministry of Home Affairs defines Personal Data for the purpose of executing reciprocal agreement with other countries. It defines Personal data as:

Personal Data means data about or relating to a natural or legal person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person or legal, or any combination of such features, or any combination of such features with any other information.

As defined in Cases

Legal precedent has also shaped the definition of personal data. In K.S. Puttaswamy v. Union of India (2017), the Supreme Court recognized informational privacy as a fundamental right but did not explicitly define “personal data.”[9] The judgment referenced the European Court of Human Rights case of S and Marper v. United Kingdom, which held that fingerprints, DNA profiles, and cellular samples constitute personal data as they relate to identifiable individuals.[10]

As Defined in Committee Reports

B.N. Srikrishna Committee Report (2018)

The B.N. Srikrishna Committee Report defined personal data as any information related to an identified or identifiable individual. This standard had been widely accepted since the 1980s and was used in most jurisdictions to determine the scope of data protection laws. However, advancements in data science had challenged the traditional binary classification of data as either identifiable or non-identifiable. For instance, dynamic IP addresses could sometimes be used to identify individuals, depending on the additional data available to the data processor. The report recognized that identifiability was often contextual, varying based on available technological means and analytical methods.[11]

A major concern addressed in the report was the failure of de-identification methods. Studies had shown that even anonymized datasets could sometimes be re-identified, which raised questions about the effectiveness of existing privacy safeguards. While jurisdictions like the EU and South Africa had excluded anonymized data from the scope of data protection laws, the report acknowledged that pseudonymization—where personal identifiers were replaced with pseudonyms—did not eliminate the risk of re-identification. Despite these challenges, the report concluded that identifiability remained the best available standard for defining personal data. However, it emphasized the need for a broad and flexible definition that would account for various contexts in which data was processed.

The report also distinguished between direct and indirect identifiers. Direct identifiers, such as names or government-issued identity numbers, made identification straightforward. Indirect identifiers, such as date of birth or zip code, could also be used to identify individuals when combined with other available data. The extent to which such data could identify an individual depended on the means and resources available to a data fiduciary. Consequently, the report recommended that any definition of personal data should account for both direct and indirect identifiability.

Regarding anonymization, the report noted that there was no global consensus on its precise definition. Some experts categorized anonymized data on a spectrum, with clearly identifiable data on one end and fully anonymized data on the other. Techniques like pseudonymization and de-identification fell somewhere in between. Anonymization, according to the report, required the application of mathematical and technical methods to ensure irreversible data transformation. However, given the rapid evolution of technology, the report suggested that the law should avoid prescribing rigid anonymization standards and instead leave their determination to the Data Protection Authority (DPA). It argued that while anonymized data should generally be exempt from data protection laws, the standard for anonymization should not be so stringent that it hindered potential benefits derived from data usage.

For data that had undergone de-identification but still carried a risk of re-identification, the report recommended continued treatment as personal data. It acknowledged the importance of de-identification techniques in privacy protection but emphasized that such data remained vulnerable to re-identification risks. Therefore, the DPA was expected to periodically update the technical standards governing anonymization and de-identification, ensuring that privacy safeguards kept pace with technological advancements.

In addition to defining personal data, the report addressed the classification of sensitive personal data. It recognized that certain types of personal data, such as those linked to an individual’s identity or intimate details, required stricter processing rules to prevent harm. While some scholars had advocated a contextual approach—where any personal data could be classified as sensitive depending on the circumstances—the report argued that this approach would impose an excessive regulatory burden. Instead, it proposed a predefined list of sensitive personal data categories to ensure clarity and mitigate potential harms in advance.

The categorization of sensitive personal data was based on several criteria, including the likelihood of significant harm to data principals, expectations of confidentiality, and whether a specific class of individuals could suffer harm from data processing. Applying these principles, the report identified the following as sensitive personal data: passwords, financial data, health data, official government-issued identifiers, information on sex life and sexual orientation, biometric and genetic data, transgender or intersex status, caste or tribe, and religious or political beliefs. However, recognizing that new types of sensitive data could emerge over time, the report vested the DPA with the authority to designate additional categories as needed. This provision was particularly important for data that might not be inherently sensitive but could become so when aggregated for profiling purposes. For example, the report suggested that geo-location data could be classified as sensitive in the future due to its potential for harm when combined with other information.

International Experience

United States of America

The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows:

Information that can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or recognizing linked or linkable information, such as date and place of birth, as well as the mother's maiden name.

The Privacy Act of 1974 establishes guidelines for federal agencies handling personally identifiable information (PII). Other U.S. privacy laws include the Health Insurance Portability and Accountability Act (HIPAA), which protects personal health information. Various proposed acts, such as the Privacy Act of 2005, the Anti-Phishing Act of 2005, the Social Security Number Protection Act of 2005, and the Identity Theft Prevention Act of 2005, sought to further regulate privacy and identity protection.

Federal laws addressing privacy include 18 U.S.C. § 1028(d)(7) and the Privacy Act of 1974 (5 U.S.C. § 552a et seq.). The EU–US Data Privacy Framework (2023) replaced the EU–US Privacy Shield, which was invalidated in 2020.

US State Laws

Nevada

Nevada Revised Statutes 603A governs the security of personal information.

Massachusetts

201 CMR 17.00 establishes protection standards for personal information. The Massachusetts Supreme Court ruled in 2013 that ZIP codes qualify as PII.

California

The California Constitution (Article 1, Section 1) declares privacy as an inalienable right. Other laws include the Online Privacy Protection Act (OPPA) of 2003 and SB 1386, which mandates notification for data breaches. The California Supreme Court ruled in 2011 that ZIP codes qualify as PII. The California data breach notification law, SB1386, defines personal information as:

Section 1798.82(e): "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(1) Social security number.

(2) Driver’s license number or California Identification Card number.

(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

A term similar to PII, "personal data", is defined in EU directive 95/46/EC, for the purposes of the directive:

Article 2a: 'Personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.[12]

In the GDPR, personal data is defined as:

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[13]

Australia

The Privacy Act 1988 governs the protection of personal information in Australia.[14]The law follows a broad, principles-based regulatory model, in contrast to the U.S., which applies sector-specific protections. The Australian framework is based on the OECD Privacy Principles from the 1980s.[15]

The definition of personal information under Section 6 of the Act includes both direct and indirect identifiers:

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

This broad definition means that Australian privacy law may encompass a wider range of data than some U.S. laws. Online behavioral advertising businesses collecting data, including cookies, bugs, and trackers, may still be subject to Australian privacy law, even if they do not consider such data to be personal information under U.S. law. The term "PII" (Personally Identifiable Information) is not explicitly used in Australian privacy law.

Canada

Canada has several laws governing the protection of personal information. The Privacy Act governs federal government agencies, while the Ontario Freedom of Information and Protection of Privacy Act applies to provincial government agencies. The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates private corporations unless superseded by equivalent provincial legislation.[16] Additionally, the Ontario Personal Health Information Protection Act governs the protection of health information at the provincial level.[17]

European Union

The European Union does not use the term PII but instead applies the broader concept of "personal data" under its legal framework. Article 8 of the European Convention on Human Rights guarantees privacy protections. The Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data establishes data processing standards.

The General Data Protection Regulation (GDPR), adopted in April 2016 and effective since May 25, 2018, replaced the Data Protection Directive 95/46/EC. Other significant regulations include the Directive on Privacy and Electronic Communications (2002/58/EC) (E-Privacy Directive) and the Data Retention Directive (2006/24/EC), Article 5. The GDPR applies to any business processing the data of EU citizens, regardless of whether the business is located in the EU.

Hong Kong

On June 1, 2023, the Hong Kong Office of the Privacy Commissioner for Personal Data released a report on a credit reference database breach. The report emphasized that organizations must actively implement security measures beyond just contractual obligations and policies. It also clarified that credit data is considered sensitive personal data.[18]

United Kingdom

The Data Protection Act 2018 implements GDPR principles in the UK and supersedes the Data Protection Act 1998.[19] The UK GDPR, a retained EU law, mirrors the GDPR but with necessary amendments post-Brexit. Other regulations include Article 8 of the European Convention on Human Rights, the Regulation of Investigatory Powers Act 2000, the Employers' Data Protection Code of Practice, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000[20], and the Anti-Terrorism, Crime and Security Act 2001.

New Zealand

New Zealand originally enacted the Privacy Act 1993, which included twelve Information Privacy Principles. The Privacy Act 2020 further strengthened privacy protections.[21]

Switzerland

The Federal Act on Data Protection (FADP) of 1992 provides strict data privacy protections, requiring explicit authorization from data subjects for processing personal data. The Federal Data Protection and Information Commissioner oversees compliance. Individuals can demand the correction or deletion of their personal data within 30 days.[22][23]

  1. https://web.archive.org/web/20150526030226/http://www.va.gov/vapubs/viewPublication.asp?Pub_ID=608
  2. https://www.fas.org/sgp/crs/misc/R42475.pdf
  3. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
  4. https://www.indiacode.nic.in/handle/123456789/1362/simple-search?query=The%20Information%20Technology%20(Reasonable%20Security%20Practices%20and%20Procedures%20and%20Sensitive%20Personal%20Data%20or%20Information)%20Rules,%202011.&searchradio=rules
  5. https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=GSR313E_10511(1)_0.pdf
  6. https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
  7. https://uidai.gov.in/images/Aadhaar_Act_2016_as_amended.pdf
  8. https://www.indiacode.nic.in/bitstream/123456789/2057/2/A200530.pdf
  9. https://digiscr.sci.gov.in/view_judgment?id=NjEwMg==
  10. https://privacylibrary.ccgnlud.org/case/s-and-marper-vs-united-kingdom
  11. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  12. https://eur-lex.europa.eu/eli/dir/1995/46/oj/eng
  13. https://gdpr-info.eu/issues/personal-data/
  14. https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act
  15. http://oecdprivacy.org/
  16. https://laws-lois.justice.gc.ca/eng/acts/p-8.6/
  17. https://www.ontario.ca/laws/statute/04p03
  18. https://www.mayerbrown.com/en/perspectives-events/publications/2023/08/less-is-not-more-the-need-for-adequate-data-protection-practices-when-monetizing-personal
  19. https://legislation.gov.uk/ukpga/2018/12/
  20. https://www.legislation.gov.uk/uksi/2000/1/made
  21. https://www.dataguidance.com/notes/new-zealand-data-protection-overview
  22. https://www.admin.ch/opc/en/classified-compilation/19920153/index.html
  23. https://en.wikipedia.org/wiki/Personal_data#cite_note-Amarelle-31
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Personal_Data&oldid=7700"