What is PII?

From the IFTAS Moderator Library, supporting Fediverse trust & safety

Updated on 2024-03-27
The materials provided on this page are for general informational purposes only. These materials do not, and are not intended to, constitute legal advice, and you should not act or refrain from acting based on any information provided. Please consult with your own legal counsel on your situation and specific legal questions.

Definition

Personally Identifiable Information, or PII, includes any data that could potentially identify a specific individual. This can range from direct information like government-issued identity numbers and email addresses to more indirect data such as an individual’s physical address or date of birth.

Moderators should be vigilant for the sharing of such information without consent (“Doxxing“), particularly in a context that suggests malicious intent. However, distinguishing between harmful sharing and innocent or self-disclosure requires careful judgement, as some users may share their own information for legitimate reasons or by accident.

Australia

In Australia, personal information is defined as information or an opinion about an identified individual, or an individual who can be reasonably identified. The definition is broad and can include a variety of data types such as a person’s name, address, or phone number. It’s crucial that the individual can be identified from the information itself or in combination with other information that an entity might possess. The concept emphasizes that personal information encompasses both factual and subjective data about individuals who are alive.

See What is personal information? for more on the Australian definition.

European Union

In the EU, under the General Data Protection Regulation (GDPR), personal data is defined as any information relating to an identified or identifiable living individual. An individual is considered identifiable if they can be identified directly or indirectly by reference to identifiers like a name, an identification number, location data, or online identifier, among other factors. This encompasses a wide range of information including both objective data, like someone’s height, and subjective data, such as personal opinions or assessments. The GDPR applies to the processing of personal data that is done wholly or partly by automated means, and also to the non-automated processing of personal data that forms part of a filing system or is intended to form part of a filing system​.

See What is considered personal data under the EU GDPR? for more on the EU definition.

United Kingdom

The UK GDPR specifies that this personal data must relate to a living individual who can be identified from that data alone or when combined with other accessible information. Information regarding companies or public authorities is also not considered personal data unless it is related to individuals within those entities acting in personal capacities, like employees or sole traders. Personal data under UK law includes not just factual information but also opinions about the individual. Even pseudonymised data can be considered personal data if there’s a way to re-identify the individual from that data. However, truly anonymised data, where individuals are no longer identifiable, does not fall under the UK GDPR.

See Personal information – what is it? for more on the UK definition.

Deletion Requests

It is important to note many user accounts are anonymous, with only an email address and possibly the IP address available to administrative staff. If you don’t know who that person is, and cannot identify them, then any PII-related takedowns must be verified before acting on the request. It is always best to advise users to delete their own data using a logged-in session, as that forms the basis for their authorised control of the data and content. Anyone asking you to remove data or content belonging to an account you administer must be able to verify they are the person in question, which may not be possible if their account or profile can not be used to verify their identity.

The ability for a social media user to demand the removal of posts that have already been delivered to recipients’ inboxes varies based on the platform’s policies and the legal jurisdiction.

Generally, once a message or post has been sent and received, the sender may not have the right or ability to force its deletion from the recipient’s inbox, especially if the platform does not support such a feature.

However, users can request the deletion of their own posts or messages from their side of the conversation or their profile, but this does not guarantee that these will be removed from the recipients’ side.

Some platforms might allow senders to delete messages from both sides under certain conditions, but this is not a universal feature or legal right. If a post or message contains illegal content or violates the platform’s terms of service, users can report it to the platform, which may then decide to remove it or take other appropriate actions. Additionally, legal routes such as court orders can compel the removal of certain content under specific circumstances, but this depends on the nature of the content and applicable laws.

For personal data concerns, regions with stringent data protection laws, like the EU with the GDPR, might offer more control over personal information, allowing individuals to request the removal of personal data under certain conditions. However, this does not always apply directly to messages sent to others within social media platforms. The removal of messages from recipients’ inboxes at the demand of the sender is not typically guaranteed and is heavily dependent on complex legal frameworks.

Users concerned about the permanence of their messages should be advised to exercise caution and consider the potential for long-term accessibility before sending.

Discussion

Discuss PII in the Legal & Regulatory forum.

Was this page helpful?
한국어