Muddled Definitions of Personal Information Undermine Data Protection

The Court of Justice of the European Union ruled last month that a Vehicle Identification Number (VIN) must be treated as personal data when it can be used to identify an individual. This adds to a record of inconsistent decisions on what constitutes personally identifiable information (PII), making protecting that data even harder.

Earlier this year, a German trade association argued that car manufacturer Scania was withholding information the association needed for vehicle maintenance. The case was referred to the Court of Justice over the question of whether a VIN must be provided to independent auto repair shops along with on-board diagnostic information and vehicle maintenance records. As part of the decision, the Court ruled that a VIN on its own is not personal data. But when a third party can use the VIN to identify the owner of the vehicle, it is considered personal data, the Court concluded.

Further reinforcing the confusion on what is and is not PII, the Court of Justice considers information to be PII if it can be used on its own to identify a specific individual. On separate occasions, however, the court ruled that data from which a person’s identity could be inferred was both PII and not PII.

The evolving landscape of artificial intelligence (AI) introduces additional complexity to these decisions. As AI technologies advance, the ability to infer identities may become more sophisticated, potentially reshaping how the Court interprets and applies the concept of PII.

Why does this label matter? Many breach notification laws in the United States are based on how many citizens’ PII a hacker has compromised. The rules of the EU’s General Data Protection Regulation (GDPR), meanwhile, are predicated on whether data is considered personal or not. For example, Article 17(1) requires organizations to delete personal data of individuals upon their request. Organizations do not have to delete data that is not personal.

Securing PII is crucial to prevent malicious actors from exploiting the data, leading to potential harm for individuals through unauthorized access and various forms of exploitation. Ambiguous definitions of PII undermine data protection by causing confusion for companies and governments regarding which data they need to safeguard. And as AI makes it easier to deduce conclusions from limited information, the line between what is PII and what is not is only getting blurrier.

Washington and Brussels need concrete and concise definitions of personal data before they can effectively regulate how that personal data is handled. Only then can American and European citizens be confident that their information is safe.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Daniel Bolding served as a fall 2023 intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.