HI Robin, I agree it is 'blurry'
My point was that we, the IETF, cannot determine the requirement for consent and the nature of an identifier to be personal data. The answer will always vary on context and may vary on jurisdiction. My reason for using the IP address is it's a great example of this very point. Cheers Bryan From: Robin Wilton [mailto:[email protected]] Sent: 10 September 2012 11:09 To: Bryan McLaughlin (brmclaug) Cc: [email protected]; S Moonesamy Subject: Re: [ietf-privacy] draft-moonesamy-privacy-identifiers-00 Hi Bryan - I think it's a bit more blurry than that... IP addresses aside, the EU position generally is that information counts as 'personal data' if the entity processing it is in a position to make it so (in other words, my credit card number might not be 'personally identifiable' to you, but it certainly would be to my bank). The other area of blur is that the lists of 'what counts as personal data' vary from jurisdiction to jurisdiction (even between states in the US, for instance). What I don't think the law is even close to coping with yet is the idea that the same piece of data may change, over time, from *not* being personally identifiable to being personally identifiable. An example would be this: - you visit a retailer's website, and the retailer sets a cookie (but you don't buy anything); - next time you visit, the retailer checks the cookie: they know you're the same visitor, but they don't know who you are; - over time, you visit the site many times, but you still don't buy anything. The retailer amasses data about which products you look at, what search terms brought you to the site, and so on. still, they don't know who you are... - the day comes when you make a purchase. This time, your visit also becomes associated with a name, a credit card number and a delivery address. All the data associated with your previous visits is now personally identifiable... R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected]<mailto:[email protected]> Phone: +44 705 005 2931 Twitter: @futureidentity On 9 Sep 2012, at 13:16, Bryan McLaughlin (brmclaug) wrote: Oh and I believe in some jurisdictions IP addresses have been determined as personal information. This is determined by authorities other than the IETF and may have geo variation. So again whether they are PII " depends" on who and how the question is asked. Bryan Sent from my iPhone On 9 Sep 2012, at 13:13, "Bryan McLaughlin (brmclaug)" <[email protected]<mailto:[email protected]>> wrote: The intention is to discuss about whether Internet Identifiers and Session Identifiers can be information about an individual and whether consent is necessary Bmc> I believe the answer to whether consent is necessary will be "it depends" Privacy is contextual and so the purpose for which the identifiers are processed will determine the requirement for consent. Is the identifier needed to provide the service or is it processed for "additional" purposes? Will any processing impact sensitive information? If so additional requirements for consent may be required. BTW this may not be as clear cut as it first seems. Location information may indicate - with temporal correlation- religious or medical information. We had a draft and ppt that included this a while back. Given that privacy is not an objective binary item I would offer that all identifiers be used with a minimalist approach. So used when needed. Used for a specific purpose. Additional uses are not assumed but must be defined and explicitly consented to. Bryan _______________________________________________ ietf-privacy mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ietf-privacy
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
