TABLE OF CONTENTS Introduction 273 I. Prioritizing Sensitive Data 274 A. Why Processing Sensitive Data Is Assumed to Entail More 275 Risk B. Legal Protections for Sensitive Data 278 1. Special Categories of Information in EU Law 279 2. Information Subject to Heightened Obligations Under 283 U.S. Law II. Challenges to Protecting Sensitive Data by Category 287 A. Ubiquitous Collection and the Ever-Expanding Categories 289 of Sensitive Data B. Uncovering Sensitive Data Through Re-Identification 296 C. How the Context of Data Use Affects Sensitivity 299 III. Rethinking Sensitive Information 302 Conclusion 306 INTRODUCTION
Privacy and data protection laws in both the European Union and the United States impose conditions on the processing of certain kinds of personally identifying information, referred to as sensitive data, sensitive information, or special categories of information. The sensitivity of a given piece of information is often used to determine how much legal protection should be afforded to it. This is because greater consequences are likely to result from the misuse of sensitive information compared to misuse of less sensitive or non-sensitive information. Thus, information sensitivity is associated with risk. Indeed, protecting sensitive data has become one of the most important issues in the domain of risk management in recent years.
The categories of information that data protection and privacy laws have tended to recognize as sensitive include health data, financial data, and other types of information considered to be of an intimate or personal nature. The exposure of these types of information is thought to bring about the most severe kinds of privacy harms. And yet, we live in an era where almost any piece of data about a person, sensitive or not, can be linked to their identity. Further, innocuous bits of information can be aggregated from multiple sources that, when observed as a whole, reveal sensitive attributes about a person. Laws that treat certain types of information as warranting heightened legal obligations, therefore, may ultimately fail to adequately protect privacy if they ignore how non-sensitive data can be linked to sensitive data. This Article focuses on understanding why making this link is so vital and what can be done to incorporate a more nuanced conceptualization of the categorization of sensitive data in privacy and data protection law and policymaking.
Ultimately, the reality of a technologically- and data-dependent world means that lawmakers face an uphill battle and must be willing to continuously evaluate and potentially expand the list of data types that receive heightened legal protections. Additionally, lawmakers must address the way in which seemingly innocuous pieces of information can be connected to sensitive types of data, as developments in technology and big data have diminished the utility of the longstanding divide between sensitive and non-sensitive data. In line with this concern, policymakers must also reconsider the effectiveness of current approaches to data protection, most of which prioritize information solely according to its nature, type, or category. Additionally, lawmakers should account for whether the data can be readily combined with other publicly-available information to uniquely identify a person, the likelihood that it can be linked to or reveal sensitive information, and the context of data use when determining what legal protections should be afforded to it.
Before analyzing these obstacles and discussing ways of addressing them, Part I of this Article explains why certain types of information, such as health or financial data, merit heightened legal protections and impose heavier obligations on data processors, collectors, and providers. This is done by focusing on the levels of risk associated with certain types of data across the United States and European Union. Part II of this piece dives into the myriad obstacles that exist in protecting sensitive data, examining how current legal protections are insufficient. Additionally, Part II discusses why proper protections for sensitive information are so vital. Part III suggests various ways in which policymakers ought to rethink sensitive data, and the kind of impact this rethinking can have on privacy rights and data protections.
PRIORITIZING SENSITIVE DATA
This Article begins by explaining why the severity of privacy harms that arise from misuse of sensitive data are often greater than the privacy harms associated with misuse of non-sensitive types of data. It then examines the reliance of privacy and data protection laws on the type, nature, or category of information to prioritize protection. Laws that prioritize sensitive information rely on assumptions about data that are being invalidated by innovative developments in technology and data use. More specifically, a purely categorical approach to privacy and data protection fails to recognize the risks generated by the expansion in data collection practices and technologies. Assumptions made by policymakers and legislators in both the European Union and the United States about managing the risks associated with certain types of data thus need to be revisited with these emerging threats to privacy in mind.
Why Processing Sensitive Data Is Assumed to Entail More Risk
The sensitivity of a given piece of information is often defined as a function of the magnitude and severity of the risks associated with its processing. For example, one set of guidelines on handling sensitive health information defines it as "information that carries with it unusually high risks in the event of disclosure." (1) Similarly, experimental studies surrounding privacy attitudes and behaviors have demonstrated that individuals' perceptions of information sensitivity are positively correlated with their perceptions of risk or exposure, or the heightened need for privacy. (2) It is well-recognized that the processing of sensitive information, if not handled properly, "can lead to significant forms of harm [to individuals] ... [and] is the kind that exposes the data subject to a high probability of such harm." (3)
Indeed, a key difference between sensitive and non-sensitive information is the level of risk associated with disclosure of the information. For example, as Professor Scott Skinner-Thompson explained, intimate information and political information (4) "tend, by their nature, to involve higher likelihood of downstream consequences (such as employment discrimination resulting from the disclosed intimate information or marginalization caused by the monitoring of political thought) that they are entitled to special protection relative to other forms of information." (5) In other words, the main consideration in whether a certain type of data should receive heightened legal protection tends to be determined by the likelihood and severity of the harms that can arise from its misuse.
This association between data sensitivity and privacy risk helps to explain why both EU and U.S. laws impose heightened obligations on entities that process and control data subjects' sensitive information. (6) Several EU resolutions stipulate that special rules should govern the processing of sensitive information in view of the damage that individuals might suffer in case of misuse. (7) As early as 1995, the Data Protection Directive prohibited processing special categories of personal information; more recently, the 2018 General Data Protection Regulation (GDPR) expanded on several new conditions for this kind of sensitive data protection. (8)
Article 4 of the GDPR provides definitions for terms found throughout the regulation, which are also common in privacy and data protection discussions, such as personal data, consent, and profiling. (9) Notably, the GDPR makes a nuanced distinction between controllers and processers, imposing a unique set of requirements upon each. (10) A controller is defined as any "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data," (11) while a processor is any such entity that processes data on behalf of a controller. (12) Under the GDPR, controllers tend to have greater responsibilities to assess and mitigate the risks of data processing, (13) defined as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means." (14) Under this expansive definition, the range of operations falling within the scope of processing includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, and destroying data. (15)
As noted in the GDPR's recitals, the purpose of which is to express "concise reasons" for the law, (16) one of the underlying rationales for granting specific protection to sensitive information is that "[p]ersonal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, merit specific protection as the context of their processing could create significant risks to fundamental rights and freedoms." (17)
Processing information that is sensitive in nature is also deemed riskier under U.S. law. For example, guidance on implementing the E-Government Act of 2002 indicates that the addition of health or financial information to a database "raises the risks to personal privacy" and requires the agency to conduct a Privacy Impact Assessment. (18) Other legislation and regulatory guidelines on the application of risk-based approaches to data protection further suggest accounting for the nature of personal information in assessing data processing risks. (19)
Finally, in both the European Union and the United States, sensitive data...