Hi Bryan - I think it's a bit more blurry than that… IP addresses aside, the EU position generally is that information counts as 'personal data' if the entity processing it is in a position to make it so (in other words, my credit card number might not be 'personally identifiable' to you, but it certainly would be to my bank).
The other area of blur is that the lists of 'what counts as personal data' vary from jurisdiction to jurisdiction (even between states in the US, for instance). What I don't think the law is even close to coping with yet is the idea that the same piece of data may change, over time, from *not* being personally identifiable to being personally identifiable. An example would be this: - you visit a retailer's website, and the retailer sets a cookie (but you don't buy anything); - next time you visit, the retailer checks the cookie: they know you're the same visitor, but they don't know who you are; - over time, you visit the site many times, but you still don't buy anything. The retailer amasses data about which products you look at, what search terms brought you to the site, and so on. still, they don't know who you are… - the day comes when you make a purchase. This time, your visit also becomes associated with a name, a credit card number and a delivery address. All the data associated with your previous visits is now personally identifiable... R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: wil...@isoc.org Phone: +44 705 005 2931 Twitter: @futureidentity On 9 Sep 2012, at 13:16, Bryan McLaughlin (brmclaug) wrote: > Oh and I believe in some jurisdictions IP addresses have been determined as > personal information. This is determined by authorities other than the IETF > and may have geo variation. > > So again whether they are PII " depends" on who and how the question is > asked. > > Bryan > > Sent from my iPhone > > On 9 Sep 2012, at 13:13, "Bryan McLaughlin (brmclaug)" <brmcl...@cisco.com> > wrote: > >> >> >> The intention is to discuss about whether Internet Identifiers and Session >> Identifiers can be information about an individual and whether consent is >> necessary >> >> >> Bmc> >> >> I believe the answer to whether consent is necessary will be "it depends" >> >> Privacy is contextual and so the purpose for which the identifiers are >> processed will determine the requirement for consent. >> >> Is the identifier needed to provide the service or is it processed for >> "additional" purposes? >> >> Will any processing impact sensitive information? If so additional >> requirements for consent may be required. >> >> BTW this may not be as clear cut as it first seems. Location information may >> indicate - with temporal correlation- religious or medical information. We >> had a draft and ppt that included this a while back. >> >> Given that privacy is not an objective binary item I would offer that all >> identifiers be used with a minimalist approach. So used when needed. Used >> for a specific purpose. Additional uses are not assumed but must be defined >> and explicitly consented to. >> >> Bryan >> >> >> >> >> > _______________________________________________ > ietf-privacy mailing list > ietf-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-privacy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy
