Gathering of personally identifiable information
The gathering of personally identifiable information (PII) refers to the collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests.
With advances in information technology, access to and sharing of PII have become easier. Smartphones and social media have significantly contributed to the widespread collection of personal data, making it a pervasive and controversial issue.[1]
Recent cases of illegal PII collection, such as the Cambridge Analytica scandal involving the data of over 87 million Facebook users, have heightened concerns about privacy violation and increased demands for stronger data protection laws. Major breaches at companies like Equifax, Target, Yahoo, Home Depot, and the United States Office of Personnel Management have compromised the personal and financial data of millions of Americans, leading to calls for improved information security and PII protection.[2]
Definition
Currently, there is no universally accepted definition of PII gathering. According to the U.S. National Institute of Standards and Technology (NIST), PII is defined as:[3]
(1) Any information that can be used to distinguish or trace an individual's identity, such as a name, social security number, date and place of birth, mother's maiden name, or biometric records. (2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII gathering refers to the collection, organization, manipulation, analysis, exchange, or sharing of such data.
Collectors
Governments
Governments collect PII to provide social and legal benefits, improve services, and fulfill legal obligations.[4] Depending on the type of government, whether democratic or authoritarian, methods for collecting PII may vary, but the goals are generally similar.[5]
United States
In the U.S., PII is gathered through processes like tax filing, property registration, and driver's license applications.[6] The government also collects PII for crime prevention and national security purposes, though such practices, especially by the National Security Agency (NSA), remain controversial.[7]
China
China uses big data to enhance governance, employing advanced surveillance networks like the "Skynet" system with 20 million cameras. Although regulations protect PII collected by private companies, there are no limitations on government collection of such data, nor have any plans been made to implement such limitations.[8][9]
European Union
European Union nations have stringent domestic and international PII regulations.[10] For example, the General Data Protection Regulation (GDPR) provides comprehensive protections for personal data.[11]
Companies
With advancements in internet and mobile technologies, private companies collect PII through user registrations, location tracking, cookies, and other methods. Data brokers buy, sell, and analyze PII from various sources, often without user consent.[12] The Facebook–Cambridge Analytica data scandal is an example of data misuse, where only a fraction of the users whose data was collected had consented.[13]
Hackers
Hackers illegally collect PII for financial or political gain. Notable examples include North Korean hackers targeting Sony Pictures and the large-scale breach at Equifax that exposed sensitive data from millions of users.
Related laws
PII gathering is often associated with violation of privacy and is often opposed by privacy advocates. Democratic countries, such as the United States and those in the European Union have more developed privacy laws against PII gathering. Laws in the European Union offer more comprehensive and uniform protection of personal data. In the United States, federal data protection laws are approached by sectors.[14] Authoritarian countries often lack PII gathering protection for citizens. For example, Chinese citizens enjoy legislative protection against private companies but have no protection from government violations.[15]
European Union
- The General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
The GDPR will take effect on May 25, 2018, and offers comprehensive privacy protection consistent across all sectors and industries. The regulation applies to all businesses and government agencies in the European Union countries. It also regulates all foreign companies and organizations offering services in Europe. Violation and non-compliance with the GDPR may result in penalties of up to 4 percent of the business' worldwide annual revenue. GDPR requires businesses and government agencies to get consent for data processing, make anonymous of collect data, provide quick notifications for data breaches, safe handling of data transfer across borders, and appointment of data protection officers.[16]
United States
Section 5 of the Federal Trade Commission Act (FTC Act) is used to make companies safeguard collected PII data.[17] A company in the United States is not required to have a privacy policy, but is obliged to comply if the company disclosed a privacy policy. The company also cannot retroactively change its data collection policy without offering an opportunity for users to opt-out. The FTC imposed a $100 million penalty on LifeLock for failure to protect customer's PII data, such as social security numbers, credit card numbers, and bank account numbers, and violated the terms of a 2010 federal court order.[18]
The FTC also uses the Behavioral Advertising Principe to provide guidelines and suggestions for website operators on data collection practices, activity tracking, and opt-out mechanisms. A website operator is requested to obtain express consent before sensitive PII data, such as social security numbers, financial data, health information, and data of minors is collected and used. The Behavioral Advertising Principe also calls for reasonable security to protect the collected personal data and limited length of data retention but for as long as is necessary to fulfill a legitimate business or law enforcement need. The principle is also self-regulatory and intended to encourage more discussion and further development by all interested parties.[19]
- The Financial Services Modernization Act
- The Health Insurance Portability and Accountability Act
- The Fair Credit Reporting Act
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act
- The Electronic Communications Privacy Act
Concerns
Public concern about PII gathering centers around privacy violations and potential discrimination. The unauthorized collection and use of data, as seen in the Cambridge Analytica scandal, has fueled distrust in major platforms like Facebook, with many users demanding stricter government regulation.[20][21] Risks of PII gathering include discrimination, the loss of individual and collective freedom, monetary risk,, social risk, physical risk, and psychological risk.[22]
See also
- Personally identifiable information
- Data collection
- Information security
- Privacy and Electronic Communications Directive 2002 (also known as ePrivacy Directive)
- Data mining
- General Data Protection Regulation(EU)
- Privacy law
- Privacy in education
- Privacy and the US government
References
- ^ Li, Xiao Bai; Motiwalla, Luvai F. (2016). "Unveiling consumers' privacy paradox behavior in an economic exchange". International Journal of Business Information Systems. 23 (3): 307–329. doi:10.1504/IJBIS.2016.10000351. PMC 5046831. PMID 27708687.
- ^ "Cybersecurity Incidents". U.S. Office of Personnel Management.
- ^ Milne, George R.; Pettinico, George; Hajjat, Fatima M.; Markos, Ereni (March 2017). "Information Sensitivity Typology: Mapping the Degree and Type of Risk Consumers Perceive in Personal Data Sharing". Journal of Consumer Affairs. 51 (1): 133–161. doi:10.1111/joca.12111.
- ^ Cappello, Lawrence (December 15, 2016). "Big Iron and the Small Government: On the History of Data Collection and Privacy in the United States". Journal of Policy History. 29 (1): 177–196. doi:10.1017/S0898030616000397.
- ^ Li, Xiao Bai; Motiwalla, Luvai F. (2016). "Unveiling consumers' privacy paradox behavior in an economic exchange". International Journal of Business Information Systems. 23 (3): 307–329. doi:10.1504/IJBIS.2016.10000351. PMC 5046831. PMID 27708687.
- ^ Cappello, Lawrence (December 15, 2016). "Big Iron and the Small Government: On the History of Data Collection and Privacy in the United States". Journal of Policy History. 29 (1): 177–196. doi:10.1017/S0898030616000397.
- ^ Taylor, Isaac (2017). "Data collection, counterterrorism and the right to privacy". Politics, Philosophy & Economics. 16 (3): 326–346. doi:10.1177/1470594x17715249.
- ^ ZENG, JINGHAN (November 2016). "China's date with big data: will it strengthen or threaten authoritarian rule?". International Affairs. 92 (6): 1443–1462. doi:10.1111/1468-2346.12750.
- ^ ZENG, JINGHAN (November 2016). "China's date with big data: will it strengthen or threaten authoritarian rule?". International Affairs. 92 (6): 1443–1462. doi:10.1111/1468-2346.12750.
- ^ Mikkonen, Tomi (April 1, 2014). "Perceptions of controllers on EU data protection reform: A Finnish perspective". Computer Law & Security Review. 30 (2): 190–195. doi:10.1016/j.clsr.2014.01.011. ISSN 0267-3649.
- ^ Mikkonen, Tomi (April 1, 2014). "Perceptions of controllers on EU data protection reform: A Finnish perspective". Computer Law & Security Review. 30 (2): 190–195. doi:10.1016/j.clsr.2014.01.011. ISSN 0267-3649.
- ^ "Privacy considerations of online behavioral tracking". European Union Agency for Network and Information Security.
- ^ Solon, Olivia (April 4, 2018). "Facebook says Cambridge Analytica may have gained 37m more users' data". the Guardian.
- ^ "A Comparison Between US and EU Data Protection Legislation for Law Enforcement Purposes - Think Tank". www.europarl.europa.eu.
- ^ ZENG, JINGHAN (November 2016). "China's date with big data: will it strengthen or threaten authoritarian rule?". International Affairs. 92 (6): 1443–1462. doi:10.1111/1468-2346.12750.
- ^ "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)". May 4, 2016.
- ^ "Privacy & Data Security Update (2016)". Federal Trade Commission. January 18, 2017.
- ^ "LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order". Federal Trade Commission. December 17, 2015.
- ^ "Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles: Statement of the Bureau of Consumer Protection Proposing Governing Principles For Online Behavioral Advertising and Requesting Comment". Federal Trade Commission. January 16, 2014. Archived from the original on February 9, 2021. Retrieved April 19, 2018.
- ^ "Facebook Users' Privacy Concerns Up Since 2011". Gallup.
- ^ "The Spotlight's on Facebook, but Google Is Also in the Privacy Hot Seat". NDTV Gadgets360.com.
- ^ Milne, George R.; Pettinico, George; Hajjat, Fatima M.; Markos, Ereni (March 2017). "Information Sensitivity Typology: Mapping the Degree and Type of Risk Consumers Perceive in Personal Data Sharing". Journal of Consumer Affairs. 51 (1): 133–161. doi:10.1111/joca.12111.