[wtfstatists]

I like this definiton better. IANAL Warning.

Personal Data:

  - PII is Personal Data.

  - If a user has PII, then all of the userdata is Personal Data.

So HN posts would not be Personal Data for the users that have email field empty. And even email (and any other user-entered data) can be made non-PII if ToU explicitly required to be so.

My advice would be to legally and technically isolate PII and other_userdata. GDPR/etc compliance become quite easier this way.

[dogma1138]

ToU don’t change what PII is or isn’t under the GDPR.

The GDPR also states that consent alone isn’t a legal reason to collect or process PII and “advises” against relying and structuring terms of service to collect PII.

Basically you can’t build a service ask people for their data and then relying on their consent for the legal reasoning of having that data. You need an actual legal basis e.g. a regulatory requirement or a business requirement to collect that data, and in all cases the requirements unless stated in law must be evaluated against the best interests of those you collect data from.

[wtfstatists]

> ToU don’t change what PII is or isn’t under the GDPR.

ToU can by prohibiting user from entering any PII. In case of email, ToU would say that only non-identifying email can be used.

For the rest of your comment, I dont see any relevance here. There is no need for consent for non-PII userdata. All PII userdata is behind legal and technical wall and cannot be accessed by the processor/controller of non-PII userdata.

[dogma1138]

There is no such thing as a “non-identifiable” email. You cannot use ToU to bypass GDPR.

[wtfstatists]

Ok here is my email: 1373f84998986cf8@tutanota.com. Identify me! Know that I wont used the email elsewhere.

> You cannot use ToU to bypass GDPR.

Just to clarify this is not buried in ToU but laid out clearly.

So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.

[dogma1138]

Are you serious? the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable. My IP address is 192.168.1.1 identify me... It also doesn't matter if you think the information is identifiable or not what matters is how the GDPR defines it.

The GDPR defines PII and there isn't anything you can do about it you can't ask users to make a throwaway email account and hope that you can pass GDPR by claiming that it's not PII this isn't how regulation works.

What matters isn't that the email address reveals your name is that someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

>So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.

If the website asks for an email address that is PII under the GDPR.

[wtfstatists]

IP is not a user-entered data and cannot be freely selected, unlike email addresses.

> the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable.

The only official guidelines about email I could find are in here [1]. It does not say all email addresses are PII. It just says "name.surname@company.com" type addresses are PII and "info@company.com" type addresses are NOT PII. So even "yourname@mailprovider.com" may be non-PII.

> someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

Thats not enough. The service need to have PII. That is, if none of the services has PII, the email address is not PII.

> you can't ask users to make a throwaway email account

Throwaway is not needed. At best an individual need 2 email accounts. One address for the services where he is identified (eg bank website) and one address for where he is not (eg random forum).

So this is not an onerous condition at all. If thats the case you are making.

> If the website asks for an email address that is PII under the GDPR.

This is not a (official) citation.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...