Defining Sensitive Personal Information

BCLP
Contact

Like the terms “personal information,” “personally identifiable information,” or “PII,” the terms “sensitive information,” “sensitive personal information,” and “special categories of information” are often left undefined in contracts and treated as if they were terms of art for which there was a single definition.  Because different statutes, regulations, and guidance documents define the terms differently, you could either say that they are not terms of art, or that they are terms of art that are highly dependent upon context.  Either way leaving them within a contract undefined can lead to ambiguity and, ultimately, to disputes. The following provides an example of one of the most expansive and one of the most narrow definitions of near identical phrases, and illustrates the degree to which the meaning of such terms can differ depending upon context: 

European Union General Data Protection Regulation (“GDPR”)

definition of “special” data categories

Federal Trade Commission (“FTC”)

Definition of “Sensitive” Personal Information

Personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership . . . genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation . . . .1

“The Commission defines as sensitive, at a minimum, data about children, financial and health information, Social Security numbers, and certain geolocation data . . .”2

Although the examples are from two different legal regimes (i.e., the European Union and the United States), even within a single legal regime, or a single agency within a legal regime, there can be significant discrepancies. 

In terms of practical takeaways consider the following drafting, reviewing, editing, or negotiating an agreement: 

  1. If an agreement is intended to involve information relating to data subjects in the European Economic Area it is more likely that the agreement will be interpreted against the backdrop of the GDPR and, therefore, that a statement referencing “sensitive information” would be interpreted to include the categories described within the GDPR as “special.”   If the agreement is poorly drafted this can inadvertently put one, or both, parties in breach of the agreement.  For example, broad statements that one party is, or is not, receiving or transmitting, “sensitive information” can easily be inaccurate.
  2. If an agreement is intended to involve information only from data subjects in the United States, the term “sensitive information” will most likely be interpreted as including at a minimum bank account numbers, social security numbers, and health information, but there may be ambiguity about whether other data fields such as biometrics, insurance information, or geo-location information were intended to fall under the scope of the term.
  3. In light of the ambiguities surrounding such terms, it is reasonable to object to agreements that do not define the terms, or that use obtuse definitions that escape practical application to contractual terms (g., “sensitive personal information” means any information that is treated as sensitive under any law, rule, or regulation).
  4. Even when the terms are defined within an agreement, it is often difficult (or impossible) to comply with the substantive requirements that the agreement imposes on the collection, use, protection, or disclosure of sensitive information unless the party that transmits such information identifies the information – before or during transmission – as being sensitive.
  5. Define the term “sensitive information” by reference to an existing law or statute can also raise unique challenges. For example, if a contract that is intended to apply to data that originates from multiple jurisdiction incorporates by reference the EU’s definition of “special categories” of information into the definition of sensitive information it could raise ambiguity as to whether the parties intended all data fields that fall under the definition of special categories within the EU, or all data fields that fall under the definition of special categories within the EU and that relate to data subjects in the EU.
  1. GDPR, Art. 9(1).
  2. FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers at 47 n.214 (Mar. 2012).

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide