The terms “personal information,” “personal data,” “personally identifiable information,” and “PII” are often left undefined in contracts and treated as if they were terms of art for which there was a single definition. Because different statutes, regulations, and guidance documents define the terms differently, you could either say that they are not terms of art, or that they are terms of art that are highly dependent upon context. The following provides an example of one of the most expansive and one of the most narrow definitions of near identical phrases, and illustrates the degree to which the meaning of such terms can differ depending upon context:
European Union General Data Protection Regulation (“GDPR”) definition of “personal data”
|
Maryland data breach notification statute definition of “personal information”
|
|
“any information relating to an identified or identifiable natural person (‘data subject’)1
|
“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) a Social Security number; (ii) a driver’s license number; (iii) a financial account number . . .; (iv) an Individual Taxpayer Identification Number.”2
|
Although the examples are from two different legal regimes (i.e., the European Union and the United States), even within a single legal regime, or a single agency within a legal regime, there can be significant discrepancies. For example, within the United States the Federal Trade Commission has used different definitions of the same terms. At one extreme, such as in its negotiated consent orders, it adopts a definition of “personal information” that is similar to the definition used within the GDPR: i.e., “individually identifiable information from or about an individual consumer . . .”3
In terms of practical takeaways when you are drafting, reviewing, editing, or negotiating agreements:
- If an agreement is intended to involve information relating to data subjects in the European Economic Area it is more likely that the agreement will be interpreted against the backdrop of the GDPR and, therefore, that a statement referencing “personal information” would be interpreted expansively. If the agreement is poorly drafted this can inadvertently put one, or both, parties in breach of the agreement. For example, broad statements that one party is, or is not, receiving or transmitting, “personal information” can easily be inaccurate.
- If an agreement is intended to involve information only from data subjects in the United States, the term “personal information” is, at best, ambiguous, and a party to the contract, a regulator, or a third party plaintiff could reasonably argue that it is sufficiently broad to include basic identifying information such as a person’s name.
- In light of the ambiguities surrounding such terms, it is reasonable to object to agreements that do not define the terms, or that use obtuse definitions that escape practical application to contractual terms (g., “personal information” means any information that is treated as personal information under any law, rule, or regulation).
The term “personal information,” is often too basic to adequately capture the parties intent with respect to various contractual terms surrounding data privacy or security. As a result, many agreements will use multiple terms that reflect the fact that different protections are needed for different types of data. For example, a contract might contain a broad definition for “personal information,” and a specific definition for “sensitive personal information.” Heightened data privacy and security protection would typically only apply to the latter definition.
1. GDPR Article 4(1).
2. Maryland Commercial Code § 14-3501(d).
3. See Decision and Order, In the Matter of Lookout Services, Inc., FTC Docket No. C-4326 (June 15, 2011)
[View source.]
