The terms “personal information,” “personal data,” “personally identifiable information,” and “PII” are often left undefined in contracts and treated as if they were terms of art for which there was a single definition. Because different statutes, regulations, and guidance documents define the terms differently, you could either say that they are not terms of art, or that they are terms of art that are highly dependent upon context. The following provides an example of one of the most expansive and one of the most-narrow definitions of near identical phrases, and illustrates the degree to which the meaning of such terms can differ depending upon context:
European Union General Data Protection Regulation (“GDPR”)
definition of “personal data”
Maryland data breach notification statute
definition of “personal information”
“any information relating to an identified or identifiable natural person (‘data subject’)1
“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) a Social Security number; (ii) a driver’s license number; (iii) a financial account number . . .; (iv) an Individual Taxpayer Identification Number.”2
Although the above examples are from two different legal regimes (i.e., the European Union and the United States), even within a single legal regime there can be significant discrepancies.
The following provide some practical takeaways when you are drafting, reviewing, editing, or negotiating agreements:
- If an agreement is intended to involve information relating to data subjects in the European Economic Area it is more likely that the agreement will be interpreted against the backdrop of the GDPR and, therefore, that a statement referencing “personal information” would be interpreted expansively. If the agreement is poorly drafted this can inadvertently put one, or both, parties in breach of the agreement. For example, broad statements that a party will encrypt all “personal information” are almost per se inaccurate as most parties anticipate that personal information in some forms will be transmitted in a non-encrypted manner. For examples, the parties probably expect communication by email despite the fact that emails contain personal information (e.g., the “to,” “from,” and “cc” fields contain names) and email is not typically encrypted.
- If an agreement is intended to involve information only from data subjects in the United States, the term “personal information” is, at best, ambiguous, and a party to the contract, a regulator, or a third party plaintiff could reasonably argue that it is sufficiently broad to include basic identifying information such as a person’s name. As a result, if the terms is being used to refer to situations in which particular security measures will be taken (e.g., access controls, encryption, etc.) make sure that it is defined narrowly to include the types of sensitive personal information for which such controls would be appropriate.
- In light of the ambiguities surrounding such terms, it is reasonable to object to agreements that do not define the terms, or that use obtuse definitions that escape practical application to contractual terms (e.g., “personal information” means any information that is treated as personal information under any law, rule, or regulation).
- The term “personal information,” is often too basic to adequately capture the parties’ intent with respect to various contractual terms surrounding data privacy or security. As a result, many agreements will use multiple terms that reflect the fact that different protections are needed for different types of data. For example, a contract might contain a broad definition for “personal information,” and a specific definition for “sensitive personal information.” Heightened data privacy and security protection would typically only apply to the latter definition.
- Contracts often assume that information does not fall within the scope of “personal information” if names are removed. Indeed, some contracts will explicitly state that personal information does not include information that has been de-identified, aggregated, anonymized, or pseudonymized. These terms, however, can also lead to contracting ambiguity. For example, different industries and different jurisdictions have different standards for how data can be “de-identified” and what methods of de-identification remove a data set from the realm of “personal information.”