NOTE: This post was originally part of my special newsletter on LinkedIn – Privacy+Tech Insights. This is a different newsletter from my weekly newsletter. My LinkedIn newsletters are more infrequent and typically involve a more focused analysis of a particular issue.
A quiet revolution has been going on with personal and sensitive data. There have been many notable developments. In the past few years, we’ve witnessed the triumph of the EU approach to defining personal data and to designating special protections for sensitive data.
We’ve seen a growing recognition in the law that:
- the overwhelming modern consensus in privacy law is to define personal data as identified or identifiable data
- new laws (post-GDPR) are now overwhelmingly recognizing sensitive data, even in the U.S.
- various pieces of non-personal data can, in combination, be identifiable
- the ability to make inferences about data can’t be ignored
- non-sensitive data that gives rise to inferences about sensitive data counts as sensitive data
These are significant developments, yet oddly, they haven’t made headline news.
I recently wrote an article about sensitive data. I argue that because non-sensitive data can count as sensitive data if it gives rise to inferences about sensitive data, all personal data is likely sensitive data with modern data analytics. The paper is:
Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data 118 Nw. U. L. Rev. (forthcoming 2024)
I posted a draft of my this article on SSRN. You can download it for free here:
PERSONAL DATA
In the U.S., for a long time, many privacy laws adopted one of a few narrow definitions of personal data, diverging from the broad EU approach of defining personal data as identified and identifiable information. Many US laws focused just on identified information. I created two courses on personal data:
- What Is Personal Data? (5.5 mins): a basic course about the scope of the definition of “personal data”
- Defining Personal Information (8.5 mins): a deeper dive into understanding identifiable information
Finally, starting with the new wave of state consumer laws (starting with the CCPA in 2018), the U.S. has adopted an EU approach to defining personal data. Most modern privacy laws follow the EU-style definition of personal data.
With Paul Schwartz, I wrote a pair of papers about the challenges defining personal data:
- Reconciling Personal Information in the United States and European Union 102 California Law Review 877 (2014) (with Paul M. Schwartz)
- The PII Problem: Privacy and a New Concept of Personally Identifiable Information 86 New York University Law Review 1814 (2011) (with Paul M. Schwartz)
SENSITIVE DATA
Beyond personal data, most privacy laws recognize special categories of “sensitive data” that receive additional protection.
Because of the important role that sensitive data plays in privacy laws, I created a short course on Sensitive Data (3 mins).
The course comes with a poster/handout, which I’ll post an image of below, as it contains the types of sensitive data that laws commonly recognize:
Many privacy laws around the world include sensitive data, but the U.S. has long been a holdout. Until recently . . . all of the new U.S. state consumer privacy laws recognize sensitive data.
Sensitive data has triumphed. Yet, sadly, I think that it is unworkable.
A CRITIQUE OF SENSITIVE DATA
Unfortunately, I don’t think sensitive data is a workable protection in privacy law. As I mentioned earlier, I wrote a paper that argues that all personal data is potentially sensitive data in today’s world of modern data analytics.
I also argue that sensitive data doesn’t work and can’t be made to work.
Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data 118 Nw. U. L. Rev. (forthcoming 2024)
Read my blog post about the article here.
RECOGNITION THAT INFERENCES COUNT
U.S. state privacy laws are recognizing that inferences count for personal and sensitive data. In today’s age of modern data analytics, it is increasingly possible to make inferences about personal data from non-personal data and about sensitive data from non-sensitive data. When such data is used to make inferences about personal or sensitive data, this data can count as data in these respective categories.
Be on the lookout as more privacy laws and regulators start recognizing this reality.
An example of a law recognizing inferences is Washington’s My Health My Data Act. Check out my MHMDA Whiteboard, which summarizes the law in one page.
CONCLUSION
It is quite remarkable how privacy laws worldwide have embraced the EU-style conceptions of personal and sensitive data. Long a holdout, the U.S. has joined the party. To me, this is a big headline! It’s a major change in the evolution of privacy laws, especially in the U.S.
Unfortunately, despite the fact that sensitive data seems to have become a staple of privacy laws, sensitive data is ultimately unworkable.
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
