Each Thursday we present a significant excerpt, usually from a recently published book or journal article. In every case the proper permissions have been obtained. If you are a publisher who would like to participate in this feature, please let us know via the site’s contact form.
Understanding Personal Information: Managing Privacy Risks
Toronto: LexisNexis Canada, 2012
Excerpt from the introduction
However, circumstances have changed fundamentally since privacy was conceptualized as “individuals in control of their personal information” over 40 years ago. Individuals constantly give out personal information. The Internet now reaches billions of people around the world and serves as a virtual marketplace for products, information and ideas. The fluidity of personal information collection has increased as the scope and goals of such data continuously evolve. New types of data and collection tools have emerged in cyberspace and are being used by private and public sector organizations for various purposes.14 Online business models are increasingly based on the notion of greater customization, and various free online products and services are partially supported by advertising revenue. Many online or mobile service providers wish to use analytic solutions to improve their websites, products or services. The second generation of the Internet makes possible greater interaction and connectedness among online users, and individuals are increasingly involved in managing their own data through online social networks (“OSNs”). Recent technological developments have triggered the emergence of new identification tools that allow for easier identification of individuals. The power and scope of the activity of aggregating and correlating information have increased along with Internet technologies, and new algorithms are being developed to allow extraction of information from a sea of collected data. Data-mining techniques and capabilities are reaching new levels of sophistication, and the convergence of different technologies now makes it possible for organizations to collect information that is of a far more personal nature than before.
In this context, it is reasonable to wonder if the FIPs (or the DPLs) still provide a proper legal framework. Because it is possible to interpret almost any data as personal information (any data can in one way or another be related to some individual), the question arises as to how much data should be considered to be personal information. Using a literal interpretation of the definition of “personal information” can lead to many negative outcomes. First, DPLs may protect all personal information, regardless of whether the information may be harmful to individuals or is worthy of protection. This encourages a potentially over-inclusive and burdensome framework, resulting in a system in which organizations and industry players incur additional costs for complying with DPLs that have nothing to do with the protection of individuals. The rise in popularity of cloud computing, where organizations store all the data generated by users of cloud services, may lead to a large undertaking and an economic burden.
The definition of “personal information”, if interpreted using a strict literal method, may prove to be under-inclusive. It may not cover certain information which, on its own, does not qualify as such. It also may not govern certain profiles falling outside the scope of the definition, although these profiles are otherwise used or disclosed, creating some type of privacy or other harm to the individuals behind the profiles.
Using a literal interpretation of the notion of personal information may also create various uncertainties, especially in light of new types of data and collection tools. With recent technological developments, and with unlimited resources and efforts, any information can be linked to an individual, and thus more guidance is required to determine whether illegal means should be taken into account when determining whether certain information is personal; the kind of resources that should be used to assess whether a certain piece of information qualifies as personal; at what point data are anonymized; and whether the data should be evaluated alone or in correlation with other available data when assessing whether certain information is personal. Also, when dealing with new types of data, it is not always clear whether information identifying a device or an object qualifies as personal data; at what point it is identifiable to an individual when a device is used by a group; and how accurate the link between an individual and a piece of information must be, in order to qualify as “identifying” an individual.
A literal interpretation of the notion of personal information may also be obsolete in certain situations, for instance if profile data are used to make a decision that has an impact on the individual behind the profile, although this individual is not “identified” (by name and address, for example). Pre-determined categories of so-called “sensitive” information that focus strictly on the nature of the information without taking into account the context of its availability may be obsolete.
In the context of proposing a new interpretation of the definition of “personal information”, the idea is to aim for a level of generality that corresponds with the lawmakers’ highest-level goal. This book demonstrates that the ultimate purpose of DPLs is broader than protecting the privacy rights of individuals: it is to protect individuals against the risk of harm that may result from the collection, use or disclosure of their information. With the proposed approach, only data that may present such a risk of harm to individuals would be protected. In certain cases, the harm will take place at the point of collection, while in other cases, it will take place at the point where the data will be used or even disclosed. The book also elaborates on the fact that with the activities of collection and disclosure, the risk of harm is subjective in nature, while at the point at which the information is used, the risk is usually objective in nature. The risk of harm approach applied to the definition will reflect this and protect data only at the time it presents such a risk, or in light of the importance or extent of such a risk of harm.