Gathering of personally identifiable information

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

With the development of new information technology, PII is easier to access and share than before. The use of smartphones and social media has contributed to the widespread usage of PII gathering. PII is collected anywhere and anytime. The dissemination of personal data makes PII gathering a hotly debated social issue.

Recent illegal PII gathering by data collection companies, such as Cambridge Analytica on Facebook of over 87 million users, has caused increasing concern over privacy violation and has renewed call for more comprehensive data protection laws. Major security breaches at Equifax, Target, Yahoo, Home Depot, and the United States Office of Personnel Management impacted personal and financial information of millions of American, with calls for increasing information technology security and protection of PII data by businesses and governmental agencies.

Definition
There is no precise definition for PII gathering. According to the U.S. National Institute of Standards and Technology (NIST), PII is defined as:

(1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

PII gathering is any activity that collects, organizes, manipulates, analyzes, exchanges, or shares this data.

Governments
Governments publicly collect PII to extend social and legal benefits, such as improving social services and when fulfilling legal obligations.

Depending on a country's governmental archetype, such as democratic or authoritarian, PII gathering is conducted using different methods. Regardless, countries share similar goals with PII gathering, as demonstrated by the example below.

United States
In the United States, PII is gathered through application for assistance, registration of property, tax filing, registration for selective services, application for driver's license, government employment, professional licensure, and other voluntary and mandatory information submission. PII is stored, accessed, and shared between different levels of government, departments, agencies, non-governmental entities, and the public. For example, a potential home buyer can look up if a real estate agent is licensed or not. The Government also gathers PII for crime prevention and national security purposes. Many of the programs are highly controversial among the US public. For example, the National Security Agency (NSA) collects and analyzes PII, including phone calls, emails, and social media interactions, from large numbers of people to uncover potential threats.

China
The Chinese government has made big data part of the governance strategy. The goal is a more efficient and transparent government through the use of digital technology. The government has implemented one of the most technologically advanced surveillance networks on the planet called the "Skynet(天网监控系统)". The system adopts artificial intelligence including facial recognition. 20 million cameras were installed to cover nearly every single public space in the country. PII protection in China deals with collection by private companies and organizations. There has been no discussion or proposal about limiting government involvement in collecting, gathering, and analyzing PII.

Finland
Even in western democratic systems, there are different constraints on PII gathering. Nations in the European Union adopt stricter regulation on PII collecting than the United States. Similarly, personal data processing in Finland has been protected under comprehensive regulations and laws. The Personal Data Act in 1999 was the main national privacy regulation alongside the 1995 European Union Data Protection Directive. Other data regulations enacted in Finland include the Act on the Protection of Privacy in Electronic Communication, the Act on the Protection of Privacy in Working Life, and the Act on the Openness of Governmental Activities. The Personal Data Act was replaced by European Union General Data Protection Regulation (GDPR) which will take effect in May 2018. Enforcement of privacy regulations have gotten stricter in recent years after a ruling by the European Court of Human Rights which found that a Finnish hospital failed to safeguard personal data.

Companies
With the rapid growth and development of Internet and mobile technologies, private companies are able to collect personal data more quickly and effectively than before. Companies gather PII by storing of profile information when users register a new account, tracking user's location, tracking user's local storage, and using cookies and other anonymous identifiers.

Data brokers, also known as information brokers, are the major dealers of gathering, transforming, packaging, and selling of personal data. They gather PII from these resources: 1) Government documents and records, e.g. registration information, crime records. 2) Publicly available sources: including social media, blogs, and Internet websites. For example, Facebook users frequently post their personal information online and share their preferred links. As the site requires users to register with their real identities as required, it offers the opportunity for data broker to store and analyze the individual's personality and preference. 3) Approved companies, businesses, or services that are authorized by users willingly or sometime unknowingly to access their personal profiles. Similarly, online users are often asked to provide PII in order to register an account on a website. The website will then inform users about data gathering and benefits of storing the data, such as no need to enter the password every time and more effective on personal advertisements. However, these approved companies would sell PII collected and stored to data broker and mostly without users' knowledge or consent. The Facebook–Cambridge Analytica data scandal is an example. Cambridge Analytica traced personality traits from potential voters' activities on Facebook, such as their "likes" and locations, and used this personal information to predict voting behaviors. Cambridge Analytica acquired over 87 million users' PII. Only about 270,000 consented for their data for academic uses, while all other users' PII is collected illegally by Cambridge Analytica.

Hackers
Hackers are individuals or organizations that collect PII data illegally. They are driven mostly by financial interests, but sometimes political, such as the hacking of Sony by North Korean hackers. Hackers from North Korea targeted Sony Pictures in retaliation for the planned release of "The Interview," a movie about the fictional assassination of North Korean leader Kim Jong-Un. The incident resulted in the release of Social Security numbers, salary information, and medical records of Sony employees. Hackers use spyware, viruses, backdoors, social engineering or other methods to steal and collect PII data from individuals, companies, governments, and other organization. For example, Equifax, one of the largest credit company in the world, its security was compromised by hackers and PII for millions of Americans was stolen.

Related laws
PII gathering is often associated with violation of privacy and is often opposed by privacy advocates. Democratic countries, such as the United States and those in the European Union have more developed privacy laws against PII gathering. Laws in the European Union offer more comprehensive and uniform protection of personal data. In the United States, federal data protection laws are approached by sectors. Authoritarian countries often lack PII gathering protection for citizens. For example, Chinese citizens enjoy legislative protection against private companies, but have no protection from government violation.

European Union

 * The General Data Protection Regulation(GDPR) - Regulation (EU) 2016/679

The GDPR will take effect on May 25, 2018 and offers comprehensive privacy protection consistent across all sectors and industries. The regulation applies to all businesses and government agencies in the European Union countries. It also regulates all foreign companies and organizations offering services in Europe. Violation and non-compliance of the GDPR may result in penalties up 4 percent of the business' worldwide annual revenue. GDPR requires businesses and government agencies to get consent for data processing, make anonymous of collected data, provide quick notifications for data breach, safe handling of data transfer across borders, and appointment of data protection officer.

United States

 * The Federal Trade Commission Act

The section 5 of the Federal Trade Commission Act (FTC Act) is used to make companies safeguard collected PII data. A company in the United States is not required to have a privacy policy, but is obliged to comply if the company disclosed a privacy policy. The company also cannot retroactively change its data collection policy without offering an opportunity for users to opt out. The FTC imposed a $100 million penalty on LifeLock for failure to protect customer's PII data, such as social security numbers, credit card numbers, and bank account numbers, and violated the terms of a 2010 federal court order. The FTC also uses the Behavioral Advertising Principe to provide guidelines and suggestions for website operators on data collection practices, activity tracking, and opt-out mechanism. A website operator is requested to obtain express consent before sensitive PII data, such as social security numbers, financial data, health information, and data of minors is collected and used. The Behavioral Advertising Principe also calls for reasonable security to protect the collected personal data and limited length of data retention, but for as long as is necessary to fulfill a legitimate business or law enforcement need. The principle is also self-regulatory and intended to encourage more discussion and further development by all interested parties.


 * The Financial Services Modernization Act
 * The Health Insurance Portability and Accountability Act
 * The Fair Credit Reporting Act
 * The Controlling the Assault of Non-Solicited Pornography and Marketing Act
 * The Electronic Communications Privacy Act

Concerns
PII gathering is usually viewed by the public as a violation of privacy. A major concern is that PII gathering allows for the classification of individual and groups, which leads to discrimination and loss of individual and collective freedom. Other perceived risks include: "(1) monetary risk is the risk associated with potential financial loss, (2) social risk is the risk associated with threats to an individual's self-esteem, reputation, and/or the perceptions of others, (3) physical risk is the risk associated with bodily injury, and (4) psychological risk is the risk associated with potential negative emotions such as anxiety, distress, and/or conflicts with self-image."

A 2018 Gallup poll indicated that more people are now concerned with invasion of privacy and data gathering after the revelation that personal data of Facebook users was collected and shared with Cambridge Analytica without consent. The survey showed that 43% of Facebook users are "very concerned" compared to 30% in 2011, with similar responses from Google users. There is also increasing concerns that personal data is being collected even if users are not logged in or not using the services. The data is collected to target users with tailored advertising services. Concerns over unauthorized data collection and use has resulted in many users stopping using Facebook or moving to other social media platforms, with increasing call for broad privacy regulation from the government, including the ability for users opt out of data collection completely.